• There is NO official Otland's Discord server and NO official Otland's server list. The Otland's Staff does not manage any Discord server or server list. Moderators or administrator of any Discord server or server lists have NO connection to the Otland's Staff. Do not get scammed!

Security A warning to everyone who's running XAMPP.

Status
Not open for further replies.
I've recently seen alot of users getting hacked, so I've used some of my free time to look into this and I found a "security vulnerability" in phpMyAdmin which comes with XAMPP. The control user pma comes with an empty password as default, and XAMPP does not alert the user about this.

I'm not going to explain in details how you can take advantage of this vulnerability, but to explain it in a single sentence: the user pma has more permissions than it should have.

NOTE: The instructions below will break pmadb. pmadb is not necessary to host an OpenTibia server, so if you want to make this easy for you it's just to drop the control user. If you want to keep pmadb and fix this the proper way you can do as stated in the "Change the password of the “pma” user in phpMyAdmin" section here: XAMPP Security: Create “pma” Password Not Covered by the Security Script and Password Protect XAMPP Folders and Directories.

Instructions to drop the control user:
1. Enter phpMyAdmin with root user.
2. Below the phpMyAdmin logo (at the left sidebar) you can see a button that has the text SQL, click on it.
3. A textbox will appear where you can insert a query, insert this:
Code: 
DROP USER 'pma'@'localhost';
4. Click on Execute, if you get any error post it in this thread and we'll try to help you.

Now to be sure it worked, logout from phpmyadmin and try to login with the user pma without any password. If it doesn't work then your server should be secure against this vulnerability.
 
Click to expand...
Floris said:
lol, ok i send in private message
Click to expand...

You can stop asking me how to do it in private messages because I'm not going to explain how to take advantage of this security issue.

If this message: "lol i do not even know how to do it explain please, i want to test it myself, i just think you already knew my password" was serious you'll regret that you didn't listen to me later when you get hacked by an evil soul.
 
This issue is in XAMPP (and apparently in webserver package from gentoo repositories too), it can be triggered without phpMyAdmin so you're not safe if you remove phpMyAdmin from your website, only if you drop the control user or change the password on it.
 
Uhum yes.. i already droped pma user and i not using phpmyadmin i much time.

I have a suggestion .. someone create a tutorial on how to install apache + php + mysql ..

I know how to install but many Clearly not.
 
Log in as 'pma' without password and.. voilà!

Code: 
UPDATE user SET password=PASSWORD("the-new-root-password") WHERE User='root';
flush privileges;

Now you have full root access :thumbup:

ps: it's better to let all that noobs being hacked and close their noob otservs.

They must learn how to secure a server before run it. That's why I hate all the download-and-run otservs, it's filling the OT community with sh!t -.-
 
Yes I have Droped the PMA User.
I dont run a website from the above address.
I am Behind a Router With Port Fowarding Set.
The servers PC has a Firewall.
I Can connect to my Server.
But I cant access http://rebornot.game-host.org/phpmyadmin/
From a Remote PC..

Foward
.......................
I still cant access http://rebornot.game-host.org/phpmyadmin/
I guess this is a good thing.?????

Maybe someone can try to Get into my database..Please Try..
If you know how to hack please try... and tell me the result.
- If you "Cant" Get in Post it here along with the mentioned server configuration I have.
- If you Get in Post the Result here..

Sorry for the last post.. I forgot to tell you I have Droped PMA User.
 
Nightmare said:
Log in as 'pma' without password and.. voilà!

Code: 
UPDATE user SET password=PASSWORD("the-new-root-password") WHERE User='root';
flush privileges;

Now you have full root access :thumbup:

ps: it's better to let all that noobs being hacked and close their noob otservs.

They must learn how to secure a server before run it. That's why I hate all the download-and-run otservs, it's filling the OT community with sh!t -.-
Click to expand...

You don't have the permissions to execute that query as pma user.
 
Talaturen said:
You don't have the permissions to execute that query as pma user.
Click to expand...

Maybe on xampp, but on some packages the pma user has super-user privileges, that is the only way the phpmyadmin can fully manage the MySQL server (from the phpmyadmin documentation).
 
Isn't it better to remove phpmyadmin or block MySQL with a firewall?

I disabled all connections to my phpmyadmin in my apache folder.. Nobody can connect to phpmyadmin.
 
They don't need access to your phpMyAdmin for this, they can use a MySQL client too if you allow incoming MySQL connections from other hosts than localhost.
 
if i set this
Code: 
order allow, deny
deny from all
allow from 127.0.0.1
in phpmyadmin it will be safe or not ?
 
If you only allow MySQL conncetions from localhost, yes. If you allow "external" MySQL connections then you make any difference by disabling/removing phpMyAdmin.
 
Uhm so how do you fix so only MySQL connections is allowed from localhost?
I've blocked so only localhost can enter phpMyAdmin, but that doesn't seem to be enough if I read correctly?
 
Status
Not open for further replies.

Similar threads

222222
Linux How to build and install MariaDB from source - and how to secure your database.
Replies
0
Views
146
222222
222222
222222
Linux How to build NGINX from source - and optimize it for security and performance. Including TLS.
Replies
0
Views
168
222222
222222
Giorox
Naive Dockerized TFS 1.5
Replies
6
Views
2K
iNux
I
Back
Top