Security A warning to everyone who's running XAMPP.

I've recently seen alot of users getting hacked, so I've used some of my free time to look into this and I found a "security vulnerability" in phpMyAdmin which comes with XAMPP. The control user pma comes with an empty password as default, and XAMPP does not alert the user about this.

I'm not going to explain in details how you can take advantage of this vulnerability, but to explain it in a single sentence: the user pma has more permissions than it should have.

NOTE: The instructions below will break pmadb. pmadb is not necessary to host an OpenTibia server, so if you want to make this easy for you it's just to drop the control user. If you want to keep pmadb and fix this the proper way you can do as stated in the "Change the password of the “pma” user in phpMyAdmin" section here: XAMPP Security: Create “pma” Password Not Covered by the Security Script and Password Protect XAMPP Folders and Directories.

Instructions to drop the control user:
1. Enter phpMyAdmin with root user.
2. Below the phpMyAdmin logo (at the left sidebar) you can see a button that has the text SQL, click on it.
3. A textbox will appear where you can insert a query, insert this:

DROP USER 'pma'@'localhost';

4. Click on Execute, if you get any error post it in this thread and we'll try to help you.

Now to be sure it worked, logout from phpmyadmin and try to login with the user pma without any password. If it doesn't work then your server should be secure against this vulnerability.

 

[Mokerhamer]

That's why I posted it in the announcement board.

Yes but it seemed that phpmyadmin 2.11.7 is NOT protected for it and phpmyadmin 2.11.9.2 is.

 

[Oceanic]

Some users dont change the root password to

 

[Mokerhamer]

Some users dont change the root password to

That's there own mistake but the couldent do anything about this..

 

[Master-m]

I'm scared that rabbe will hack me

 

[ZoOorO]

I'm scared that rabbe will hack me

hahahaha, i love you Dops!

 

[Inteligentny]

Its also in xampp 1.6.6a, a lot of users have this version, hopefully I wasnt hacked, Thanks Tala for Info

Edit

I have question, when I typed www.konu.pl/phpmyadmin

There appear
"Forbidden

You don't have permission to access /phpmyadmin on this server."

how they did this security? its good

 

[Gregor]

Its also in xampp 1.6.6a, a lot of users have this version, hopefully I wasnt hacked, Thanks Tala for Info

Edit

I have question, when I typed www.konu.pl/phpmyadmin

There appear
"Forbidden

You don't have permission to access /phpmyadmin on this server."

how they did this security? its good

xampp/phpmyadmin/index.php

After first line:

<?php

Add

echo "<h1>Forbidden<br /></h1> You don't have permission to access /phpmyadmin on this server.";
exit;

It should look like this:

<?php

echo "<h1>Forbidden<br /></h1> You don't have permission to access /phpmyadmin on this server.";
exit;

/* vim: set expandtab sw=4 ts=4 sts=4: */

Look my
http://rox666.com/phpmyadmin/

 

[Inteligentny]

Thanks mate

But It will allow to enter me ? hehe I suppose no :> or im wrong?

 

[elf]

.htaccess file blz, is powerfull

order allow, deny
deny from all
allow from 127.0.0.1

http://elf.tots.dlagraczy.pl - htaccess pwnage

 

[Inteligentny]

.htaccess file blz.
order allow, deny
deny from all
allow from 127.0.0.1

Thanks, I dont have nothing to you Elf but you are acting like u are the smartest man in this forum, and maybe its true, but remember that nobody can do everything. You are good in programmist (spelling) things. And everyone respect you for your work, you are laughting(spelling) from us when we write for you very simple questions / So Think about it sometime or just blame me U dont have to reply for this.

Greetings/ no offend..

 

[manerinhu]

pma usually doesn't have privilegies to cause a destruction

 

[elf]

Did I say something wrong while posting htaccess solution? o.0
- You've asked how konu.pl has something like that.
-- Guy answered its modified index.
--- I answered 'htaccess blz' in meaning, they have it 90% like that, and post above is bullshit. then, I've added like an example for doing it.

I don't know why you're attacking me, but well, have fun!

 

[DeathfireD]

Just to point out pma is a required username for phpMyAdmin's Relational Features. If you delete it you may brake phpmyadmin/mysql.

MySQL control user settings (this user must have read-onlyaccess to the "mysql/user" and "mysql/db" tables. The controluser is also used for all relational features (pmadb).

Heres what you should do Gentoo: phpMyAdmin Insecure SQL script installation - The Community's Center for Security

Id also make sure user PMA is set to these privliages

User/pma - Host/localhost - Password/NO - Global Privileges/SHUTDOWN - Grant/NO

. The above access limits user PMA to only be able to shut down mysql. source: Apache Forum :: View topic - Noob MySQL Question

Id also set a password for root, obviously people should be doing this but XAMPP does not do it by default. Also make sure your phpmyadmin panel can only be access via localhost. If you need to make it remote accessible then you definitely need to have a root password set or else your asking to get hacked.

 

[Blue Charizard]

I can agree, i doubt removing the pma user is such a good ideea, it would be much smarter to simply change its password.

A guide for how to do such can be found here:

XAMPP Security: Create “pma” Password Not Covered by the Security Script and Password Protect XAMPP Folders and Directories

Also personally i cant see what the big fuss is with PMA... It dosnt really have any previlegies so you cant do much, all you can do is view global variables and look at logs of queries done in phpmyadmin, oh and ofcourse check out the information_schema, but thats more or less all... nothing serious from what i can see.

 

[Mark]

I can agree, i doubt removing the pma user is such a good ideea, it would be much smarter to simply change its password.

A guide for how to do such can be found here:

XAMPP Security: Create “pma” Password Not Covered by the Security Script and Password Protect XAMPP Folders and Directories

Also personally i cant see what the big fuss is with PMA... It dosnt really have any previlegies so you cant do much, all you can do is view global variables and look at logs of queries done in phpmyadmin, oh and ofcourse check out the information_schema, but thats more or less all... nothing serious from what i can see.

Believe me, I wouldn't post this as an announcement if you couldn't do serious damage with it.

I'm not a XAMPP user so perhaps you need the pma user for some actions but they're probably not even used by the average otserv hoster.

 

[Nikkster]

Thanks Talaturen, worked for me.

 

[Konner920]

Your SQL query has been executed successfully (Query took 0.1150 sec)


Wewt thanks

 

[Dulin]

Is not only on Xampp. Look @video -- on linux gentoo, debian etc...

@down Can i make video ?

Please don't post videos how to take advantage of this vulnerability, there are still alot of affected servers. I tried the same thing you did on that video on Debian Etch. Couldn't reproduce it (I can't login with random user or with pma). Downloaded phpMyAdmin from Debian repositories, did you download your phpMyAdmin through emerge or from phpmyadmin.net?

This problem is not in phpmyadmin. Problem is in configuration of mysql. And stupid users... Using root user on running otserver... Root has access for file write/read ...

btw. Look on history on very old post http://otland.net/97650-post4.html
I'll edited for security...

 

[Mark]

Is not only on Xampp. Look @video -- on linux gentoo, debian etc...

Debian is not affected by this, atleast not Etch (stable, 4.0).

Is not only on Xampp. Look @video -- on linux gentoo, debian etc...

@down Can i make video ?

Please don't post videos how to take advantage of this vulnerability, there are still alot of affected servers. I tried the same thing you did on that video on Debian Etch. Couldn't reproduce it (I can't login with random user or with pma). Downloaded phpMyAdmin from Debian repositories, did you download your phpMyAdmin through emerge or from phpmyadmin.net?

This problem is not in phpmyadmin i in configuration of mysql

btw. Look on history on very old post http://otland.net/97650-post4.html
I'll edited for security...

Normally MySQL has a random password set to its control user, atleast it has on Debian. The user is called: debian-sys-maint. So I'm still blaming XAMPP/phpMyAdmin for this and not the MySQL devs because I don't think they created the pma user. XAMPP should improve their security script where it asks you to set root password. It should also ask you to set a password to the control user.

I'll probably revise the MYSQL_HELP file in The Forgotten Server later to explain how to download MySQL, PHP and Apache as separate packages instead of using XAMPP.

 

[Dulin]

Please don't post videos how to take advantage of this vulnerability, there are still alot of affected servers. I tried the same thing you did on that video on Debian Etch. Couldn't reproduce it (I can't login with random user or with pma).

Yes i tested localy and You have right... This problem is only appear on ovh installed debian and ubuntu. I have wrong informations ... ;-|