• There is NO official Otland's Discord server and NO official Otland's server list. The Otland's Staff does not manage any Discord server or server list. Moderators or administrator of any Discord server or server lists have NO connection to the Otland's Staff. Do not get scammed!

Security A warning to everyone who's running XAMPP.

Status
Not open for further replies.
I've recently seen alot of users getting hacked, so I've used some of my free time to look into this and I found a "security vulnerability" in phpMyAdmin which comes with XAMPP. The control user pma comes with an empty password as default, and XAMPP does not alert the user about this.

I'm not going to explain in details how you can take advantage of this vulnerability, but to explain it in a single sentence: the user pma has more permissions than it should have.

NOTE: The instructions below will break pmadb. pmadb is not necessary to host an OpenTibia server, so if you want to make this easy for you it's just to drop the control user. If you want to keep pmadb and fix this the proper way you can do as stated in the "Change the password of the “pma” user in phpMyAdmin" section here: XAMPP Security: Create “pma” Password Not Covered by the Security Script and Password Protect XAMPP Folders and Directories.

Instructions to drop the control user:
1. Enter phpMyAdmin with root user.
2. Below the phpMyAdmin logo (at the left sidebar) you can see a button that has the text SQL, click on it.
3. A textbox will appear where you can insert a query, insert this:
Code: 
DROP USER 'pma'@'localhost';
4. Click on Execute, if you get any error post it in this thread and we'll try to help you.

Now to be sure it worked, logout from phpmyadmin and try to login with the user pma without any password. If it doesn't work then your server should be secure against this vulnerability.
 
Click to expand...
using um simple load and insert you can hack a server with pma open.. problem not is with xampp problem is with configures.
 
Kiel said:
using um simple load and insert you can hack a server with pma open.. problem not is with xampp problem is with configures.
Click to expand...

... and XAMPP default configuration is bad if pma has no password and the user is not even being alerted about it. Over 97% of the users who use Windows to host an otserver are using XAMPP, that's why this announcement is aimed towards them. The XAMPP/MySQL installation should ask the user what password s/he wants for MySQL root and control user (like pma). Some Linux distributions have started doing this, they ask the user what root password to use on MySQL installation, and they set a random generated password on the controluser.
 
well this warning can ben reported in apachefrind foruns to fix.. is better solution because much users never will reader this treath.
 
Nipronz said:
already put a password for pma
Click to expand...

If you choose to put a password for pma you will also have to update this line in phpMyAdmin config file (if you want to keep using pmadb that is):
$cfg['Servers'][$i]['controlpass'] = '';

If you don't update that line, pma will not function as the controluser because phpMyAdmin cannot access it and perform actions in the pmadb tables.
 
Talaturen said:
... and XAMPP default configuration is bad if pma has no password and the user is not even being alerted about it. Over 97% of the users who use Windows to host an otserver are using XAMPP, that's why this announcement is aimed towards them. The XAMPP/MySQL installation should ask the user what password s/he wants for MySQL root and control user (like pma). Some Linux distributions have started doing this, they ask the user what root password to use on MySQL installation, and they set a random generated password on the controluser.
Click to expand...

True XAMPP is a peace of shit but this isn't a XAMPP issue. It's a phpmyadmin issue and was fixed months ago. People that don't update their services and software are just asking to get their asses hacked.
 
sry for my nub question;p what the hacker will do if he enter in my phpmyadmin he can edite lvls/accounts? and how he will do that,

well guys i havent host or worked in that before so dont do bad coments about me or something like that:p
 
loza with pma user him can get root user..

with root user him can make all...

dop database, edit account.. etc create database
 
Dulin said:
Yes i tested localy and You have right... This problem is only appear on ovh installed debian and ubuntu. I have wrong informations ... ;-|
Click to expand...

After installing mysql packets you should type:
Code: 
mysql_secure_installation
what will fix up all vulnerabilities.
 
After I did this, Xampp isnt working correctly.
When I need to stop "MySql" it doesnt.

I get some error and it lags my comp xD

Any Ideas?
 
DeathfireD said:
True XAMPP is a peace of shit but this isn't a XAMPP issue. It's a phpmyadmin issue and was fixed months ago. People that don't update their services and software are just asking to get their asses hacked.
Click to expand...

...

I've just reinstalled the computer and downloaded Xampp, the problem is still there in xampp.
 
Empty said:
...

I've just reinstalled the computer and downloaded Xampp, the problem is still there in xampp.
Click to expand...

Newest XAMPP (it is probably 1.6.8b or something) doesnt come with the newest phpMyAdmin version.
 
i tried in my localhost/phpmyadmin and loged in with mpa and i was try to find a way to get the root password from pma user but i think not so some one can explain me?
 
loza said:
i tried in my localhost/phpmyadmin and loged in with mpa and i was try to find a way to get the root password from pma user but i think not so some one can explain me?
Click to expand...

If you need help with securing your server, pm me your ip. I wil help you.
 
i have checked pma and they cant acces my database, only phpmyadmin and information_schema so its save :)
u dont have to remove/change
 
Floris said:
i have checked pma and they cant acces my database, only phpmyadmin and information_schema so its save :)
u dont have to remove/change
Click to expand...

"ok", I'd love to hear you repeat that when someone has hacked your server.
 
Floris said:
lol u cant otherwise give me proof
Click to expand...

Give me the IP to your server and I'll proove that it's possible, I'm not going to explain how to do it because there are still a bunch of servers affected by this.
 
Status
Not open for further replies.

Similar threads

Giorox
Naive Dockerized TFS 1.5
Replies
6
Views
2K
iNux
I
Back
Top