Security A warning to everyone who's running XAMPP.

I've recently seen alot of users getting hacked, so I've used some of my free time to look into this and I found a "security vulnerability" in phpMyAdmin which comes with XAMPP. The control user pma comes with an empty password as default, and XAMPP does not alert the user about this.

I'm not going to explain in details how you can take advantage of this vulnerability, but to explain it in a single sentence: the user pma has more permissions than it should have.

NOTE: The instructions below will break pmadb. pmadb is not necessary to host an OpenTibia server, so if you want to make this easy for you it's just to drop the control user. If you want to keep pmadb and fix this the proper way you can do as stated in the "Change the password of the “pma” user in phpMyAdmin" section here: XAMPP Security: Create “pma” Password Not Covered by the Security Script and Password Protect XAMPP Folders and Directories.

Instructions to drop the control user:
1. Enter phpMyAdmin with root user.
2. Below the phpMyAdmin logo (at the left sidebar) you can see a button that has the text SQL, click on it.
3. A textbox will appear where you can insert a query, insert this:

DROP USER 'pma'@'localhost';

4. Click on Execute, if you get any error post it in this thread and we'll try to help you.

Now to be sure it worked, logout from phpmyadmin and try to login with the user pma without any password. If it doesn't work then your server should be secure against this vulnerability.

 

[Pvls]

Check version of PMA in older versions of xampp, 2.11.9.2 > are not vulnerable.

But again, pma is not vulnerable itself, when configuration allows you to paste any content of file into the table nothing is secure ;p

 

[Inteligentny]

#1396 - Operation DROP USER failed for 'pma'@'localhost'

never before had this error while doing what u said :|

I can still log on pma :/

 

[klekSu]

#1396 - Operation DROP USER failed for 'pma'@'localhost'

never before had this error while doing what u said :|

I can still log on pma :/

Do you delete it form root?
__________________

You are welcome on kleksoria.com!
Please visit new open tibia forum with it's own ots list. otservers.net!

 

[Amiroslo]

why is the site where i change my password and create database is not workin

 

[Joito]

i get this error plz help me
Error

consulta SQL: DocumentaciónEditar

SELECT `db_name` , `comment`
FROM `phpmyadmin`.`pma_column_info`
WHERE `column_name` = '(db_comment)'

#1142 - SELECT command denied to user ''@'localhost' for table 'pma_column_info'

 

[Amiroslo]

Download XAMPP is not working why

and the site http://localhost/security/xamppsecurity.php is not working to

 

[Pvls]

i get this error plz help me
Error

consulta SQL: DocumentaciónEditar

SELECT `db_name` , `comment`
FROM `phpmyadmin`.`pma_column_info`
WHERE `column_name` = '(db_comment)'

#1142 - SELECT command denied to user ''@'localhost' for table 'pma_column_info'

You are trying to run query with user named: '', good luck.

 

[Air The Star]

here a video

YouTube - Xampp Vulnerability "PMA" user PHPMyAdmin

 

[Limannen]

I'm just a "noob" in this area, but xD I'm wondering if there's some other, maybe a safer program that can run such acc sites like TFSCMS/Gesior ?

Thanks,
/Limannen

 

[josh3207]

i keep geting a double something like double ------ 10003
over and over can you help

 

[Fablow]

You don't need to do this if you have xampp 1.7.2

 

[Zonet]

You don't need to do this if you have xampp 1.7.2

Look on Priviliages or what's called ^^.
But I still prefer WAMP instead of XAMPP.

 

[tinhops]

[HELP] Error Creating MySql Database

First , I'm brazilian , so sorry for the grammatical errors.

I have a Tibia Ot server and I'm trying to create a database with a archive from the server paste .. but when I load the archive and click on "Execute" Appear a error message :
Error
SQL consult:

DELIMITER | CREATE TRIGGER `ondelete_accounts` BEFORE DELETE ON `accounts` FOR EACH ROW BEGIN DELETE FROM `bans` WHERE `account` = OLD.`id` ;


Messages of MySQL :

#1064 - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'DELIMITER |

CREATE TRIGGER `ondelete_accounts`
BEFORE DELETE
ON `accounts`
' at line 1

What I do ?????

 

[bleeblahblork]

after this can they access my admin at all?

 

[Exiled Pain]

Hi my xampp apache is closing often, some times every 15 hours, some times 40hrs... really random, could someone be doing this going in and closing it via the webpage or causing it to crash o is it a common error and what provokes it?

 

[Manuel006]

hey went i try to open the ot it say is a error :S

 

[MeNi]

Is it still possible to hack like this? i think no, thread is old, but is it?

 

[Xenios]

As long people use the older XAMPP version and aren't aware of this, then they will be vulnerable.

 

[Kiman]

My OT got hacked today, some guy got access to my GM character and he changed his lvl to 5000 etc.

I think it may be through the pma user. But i can't drop it. After i run the question the pma user is still accessible

#1396 - Operation DROP USER failed for 'pma'@'localhost'

I can't change the password for the pma user neither.

Error

SQL-question:

SET PASSWORD = PASSWORD( '***' )

MySQL said: Dokumentation
#1044 - Access denied for user ''@'localhost' to database 'mysql'

Please help me, would be great

 

[hodleo]

hm thanks for the tip, since I could't change or drop pma user, I deleted "" user, now I only allow root user to have privileges. Now pma user can't login