• There is NO official Otland's Discord server and NO official Otland's server list. The Otland's Staff does not manage any Discord server or server list. Moderators or administrator of any Discord server or server lists have NO connection to the Otland's Staff. Do not get scammed!

Security A warning to everyone who's running XAMPP.

Status
Not open for further replies.
I've recently seen alot of users getting hacked, so I've used some of my free time to look into this and I found a "security vulnerability" in phpMyAdmin which comes with XAMPP. The control user pma comes with an empty password as default, and XAMPP does not alert the user about this.

I'm not going to explain in details how you can take advantage of this vulnerability, but to explain it in a single sentence: the user pma has more permissions than it should have.

NOTE: The instructions below will break pmadb. pmadb is not necessary to host an OpenTibia server, so if you want to make this easy for you it's just to drop the control user. If you want to keep pmadb and fix this the proper way you can do as stated in the "Change the password of the “pma” user in phpMyAdmin" section here: XAMPP Security: Create “pma” Password Not Covered by the Security Script and Password Protect XAMPP Folders and Directories.

Instructions to drop the control user:
1. Enter phpMyAdmin with root user.
2. Below the phpMyAdmin logo (at the left sidebar) you can see a button that has the text SQL, click on it.
3. A textbox will appear where you can insert a query, insert this:
Code:
DROP USER 'pma'@'localhost';
4. Click on Execute, if you get any error post it in this thread and we'll try to help you.

Now to be sure it worked, logout from phpmyadmin and try to login with the user pma without any password. If it doesn't work then your server should be secure against this vulnerability.
 
SQL query:

DROP USER 'pma'@'localhost'

MySQL said: Documentation
#1396 - Operation DROP USER failed for 'pma'@'localhost'

can you help me?
 
<p>Talaturen I really need your help...
My website was hacked and i did what it says there but the person seems to still have controll of the website :(
The problem is that i dont know what he did :S
i think he gave himself a admin in the web but i dont know how to check...
I WOULD REALLY REALLY APPRECIATE UR HELP!!!!!!
I CHAnged my phpmyadmin pass 2 times and idk wats goin on..</p>


<b>please help</b>
 
<p>Talaturen I really need your help...
My website was hacked and i did what it says there but the person seems to still have controll of the website :(
The problem is that i dont know what he did :S
i think he gave himself a admin in the web but i dont know how to check...
I WOULD REALLY REALLY APPRECIATE UR HELP!!!!!!
I CHAnged my phpmyadmin pass 2 times and idk wats goin on..</p>


<b>please help</b>

I can help if you want, send me a pm with your site if you want me to help. :)
 
Hey i have a problem i already did all i have to do but i just cant enter my server i already change de loginrequired and password and there just appears a message that says error 1061 or comething like that but that means that my server exist but i cant get in so i wanna do a account. and also i cant look at my map i want to look at it so i can made some changes there but i just cant can u help me please i really need your help gays
and also i want to know if i need to do a website because my server its 8.5 so i want to know.


THANKS!!
 
I knew this long ago but I'm sure it will help a lot of people from getting pwned ^
 
Yeah, u found the error.. This error has been found nearly 3 years ago. Use google and give the credits to the real people who has found it.
 
Thanks but there is a new thing that wont allw anyone outside the network pass the phpmyadmin :>
 
I'm not sure which version of XAMPP and PHPMyAdmin I have but user pma doesn't exist.
All I have is:
Code:
User      Host      Password       Global privileges       Grant 
Any        %           --               USAGE               No  
Any    localhost       No               USAGE               No 
root   127.0.0.1       No            ALL PRIVILEGES         Yes  
root   localhost       Yes           ALL PRIVILEGES         Yes
I suppose I don't have a problem?
 
I just get this error message: #1396 - Operation DROP USER failed for 'pma'@'localhost'
 
thanks for the heads up, ill remember this if i decide to run a server.
 
ATTENTION EVERYONE: All new versions of XAMPP above 1.7.0 do not have the user 'pma' nor no one else can connect to your PHPMYADMIN without being the localhost.

The thread only applies to XAMPP that is 1.6.9 or lower!
 
Last edited:
I suggest you to just rename pma to something else and put a long random password on it. By disabling it you lose some nice PhpMyAdmin features. Having web access (and not only localhost) is the hole meaning with PhpMyAdmin. Using a browser or even having a GUI on a server is just a waste of memory on both Windows and Linux. They also have alot of security bugs on both platforms.
 
.htaccess file blz, is powerfull

order allow, deny
deny from all
allow from 127.0.0.1

DlaGraczy.pl - ...od graczy, dla graczy! - News - htaccess pwnage

Sup elf, I know its been a loooong time since you post it this but I would like to ask you, how to make this work.

I created .htaccess with notepad then placed the
order allow, deny
deny from all
allow from 127.0.0.1

inside, then placed that .htaccess file inside phpmyadmin folder,(using xampp), but after restarting the services so that it takes in the new archive I can't connect to my phpmyadmin not even from the localhost, so is there some other file to be placed or where do I have to place it so that it will work like in your example page so that no one from the outside can access this. Thanks in advance.
 
ATTENTION EVERYONE: All new versions of XAMPP above 1.7.0 do not have the user 'pma' nor no one else can connect to your PHPMYADMIN without being the localhost.

The thread only applies to XAMPP that is 1.6.9 or lower!

Well Im not really sure about that, just a few minutes ago I installed xampp 1.7.1 and did the pma test and I defenetly can access without even putting a password, just by placing user pma on phpmyadmin, hit enter and your in. It doesn't have many privileges but the could be some danger there.
 
Error
#1045 - Access denied for user 'root'@'localhost' (using password: YES)


I try to enter with my password after put this and i can't connecting now :S
 
Status
Not open for further replies.
Back
Top