- Status Closed
-
Assigned To
cbay - Private
Attached to Project: Security vulnerabilities
Opened by SpaceCowb0y - 07.04.2026
Last edited by cbay - 08.04.2026
Opened by SpaceCowb0y - 07.04.2026
Last edited by cbay - 08.04.2026
FS#314 - Phppgadmin Subdomain allows access with defalut credentials
Hi security team , the subdomain phppgadmin.alwaysdata.com specifically this like 'https://phppgadmin.alwaysdata.com/phppgadmin/login.php?server='
It grant access for default credentials admin:admin which then prompt the user into a login page for internal postgresql servrt , i didnt try to brute force it but this one attack vector among others that can be used to access the database , its essential to hide such a subdomains from public access and move the server into internal network subnet or restrict access using web-app-firewalls that returns 403 based on certain rules theres too many ways to inhance the security of this subdomain .
I hope you found this report helpful in securing your assets
Regards..
Screenshot_٢٠٢٦٠٤٠٧_٠٢٥٢٠٠_Ch...
Loading...
Available keyboard shortcuts
- Alt + ⇧ Shift + l Login Dialog / Logout
- Alt + ⇧ Shift + a Add new task
- Alt + ⇧ Shift + m My searches
- Alt + ⇧ Shift + t focus taskid search
Tasklist
- o open selected task
- j move cursor down
- k move cursor up
Task Details
- n Next task
- p Previous task
- Alt + ⇧ Shift + e ↵ Enter Edit this task
- Alt + ⇧ Shift + w watch task
- Alt + ⇧ Shift + y Close Task
Task Editing
- Alt + ⇧ Shift + s save task
Hello,
Although admin/admin does seem to log you in, you actually don't get any access at all.
Kind regards,
Cyril