• There is NO official Otland's Discord server and NO official Otland's server list. The Otland's Staff does not manage any Discord server or server list. Moderators or administrator of any Discord server or server lists have NO connection to the Otland's Staff. Do not get scammed!

Security A warning to everyone who's running XAMPP.

Status
Not open for further replies.
I've recently seen alot of users getting hacked, so I've used some of my free time to look into this and I found a "security vulnerability" in phpMyAdmin which comes with XAMPP. The control user pma comes with an empty password as default, and XAMPP does not alert the user about this.

I'm not going to explain in details how you can take advantage of this vulnerability, but to explain it in a single sentence: the user pma has more permissions than it should have.

NOTE: The instructions below will break pmadb. pmadb is not necessary to host an OpenTibia server, so if you want to make this easy for you it's just to drop the control user. If you want to keep pmadb and fix this the proper way you can do as stated in the "Change the password of the “pma” user in phpMyAdmin" section here: XAMPP Security: Create “pma” Password Not Covered by the Security Script and Password Protect XAMPP Folders and Directories.

Instructions to drop the control user:
1. Enter phpMyAdmin with root user.
2. Below the phpMyAdmin logo (at the left sidebar) you can see a button that has the text SQL, click on it.
3. A textbox will appear where you can insert a query, insert this:
Code: 
DROP USER 'pma'@'localhost';
4. Click on Execute, if you get any error post it in this thread and we'll try to help you.

Now to be sure it worked, logout from phpmyadmin and try to login with the user pma without any password. If it doesn't work then your server should be secure against this vulnerability.
 
Click to expand...
thanks, will try it right now ill my post if it worked or not.

For me it looked like this:

After i typed and executed
fykf8h.jpg


Logged out and tried to login with PMA without password:
2dl6r2s.jpg
 
Last edited:
ZoOorO said:
thanks, will try it right now ill my post if it worked or not.

For me it looked like this:

After i typed and executed
fykf8h.jpg


Logged out and tried to login with PMA without password:
2dl6r2s.jpg
Click to expand...

If it doesn't work to login on pma without any password you don't have to worry.
 
ye posted the pictures to show how it should look like :D
 
well atleast now u know we didnt read this on milw0rm, we searched and found by ourselves :)
 
I get this when I follow these steps.

Connection for controluser as defined in your configuration failed.
 
Are we sure that Rabbe~Dude was hacking our servers through the pma user? Or did he do it through another way?
 
They did, Tala has got the logs of exactly what they did on the server.
 
Znote said:
Are we sure that Rabbe~Dude was hacking our servers through the pma user? Or did he do it through another way?
Click to expand...

If you can send me your apache logs I can check whether or not it was done with the pma user.
 
I've just check and like 6/10 are NOT protected for pma.
 
Status
Not open for further replies.

Similar threads

Giorox
Naive Dockerized TFS 1.5
Replies
5
Views
1K
OTAmator
O
Back
Top