On Aug 21, 2009, at 5:47 PM, "Gregory P. Ennis" <PoMec at PoMec.Net> wrote: > > On Fri, Aug 21, 2009 at 5:31 PM, Ray Van Dolson<rayvd at bludgeon.org> > wrote: > >> >> Nope, but you can take steps to prevent (or make it more difficult) >> for >> people that shouldn't be accessing it from accessing it. >> >> Apache allow from, etc... basic authentication, make sure you're >> using >> HTTPS and selinux. > > Along these lines (following up here, though it's mostly to the OP), > you may also want to look at your php.ini for some hardening as well. > The default php.ini ships with allow_url_fopen enabled, which tells > php to treat remote files like they're local. In some cases this is > needed, but I really consider it a huge security hole, and if > disabling doesn't break your website, I would suggest you do so. > > ---------------- > > Jim, > > Great suggestion. Thank you!!!!! You weren't the only one who had phpmyadmin used to exploit their server. There was a thread not too long back of another who's server was hacked through some phpmyadmin script injection exploit. For everyone who reads this: Do Not run phpmyadmin on a forward facing server! It is for behind the firewall only! And even then to restricted users over SSL protected by password. -Ross