By default Apache 2 is configured in a way that phpmyadmin is automatically included to all the hosted web sites. For example, if I create a new site ‘site.com’, and then navigate to this address:
http://site.com/phpmyadmin
the phpmyadmin login page appears.
By default, Apache on Ubuntu executes all PHP scripts under www-data user, hence in situations where multiple mutually distrusting users have the possibility to put their PHP scripts on the server they could potentially spy on each other private data.
For example, the user user1 could put a PHP script that access file ‘file1.txt’ belonging to user2:
echo file_get_contents("/home/user2/www/file1.txt");
