Had a recent entanglement with a vulnerability bounty hunter who took it upon himself to show us the errors of our ways and exploit one of our Apache2 systems using the GIT Source Code Exposure (https://bit.ly/3tgqfHj). Luckily the server exposed was not mission critical and held no valuable or personally identifiable info.
However, this eye opener led me to take a deeper look into that particular web server and what I found was..well…a publicly facing adminer.
I thought it interesting that the bounty hunter did not alert us to this highly critical vulnerability that could allow our source code to be modified and expose our web users to malicious code .
From now on I will make it a point to steer companies away from tools like phpmyadmin and adminer (as attractive as they might look) its not worth the risk and if they must be used do not make them public facing !!! but if they have to be definitely apply .htaccess rules to restrict who can access the page.
