Security A warning to everyone who's running XAMPP.

I've recently seen alot of users getting hacked, so I've used some of my free time to look into this and I found a "security vulnerability" in phpMyAdmin which comes with XAMPP. The control user pma comes with an empty password as default, and XAMPP does not alert the user about this.

I'm not going to explain in details how you can take advantage of this vulnerability, but to explain it in a single sentence: the user pma has more permissions than it should have.

NOTE: The instructions below will break pmadb. pmadb is not necessary to host an OpenTibia server, so if you want to make this easy for you it's just to drop the control user. If you want to keep pmadb and fix this the proper way you can do as stated in the "Change the password of the “pma” user in phpMyAdmin" section here: XAMPP Security: Create “pma” Password Not Covered by the Security Script and Password Protect XAMPP Folders and Directories.

Instructions to drop the control user:
1. Enter phpMyAdmin with root user.
2. Below the phpMyAdmin logo (at the left sidebar) you can see a button that has the text SQL, click on it.
3. A textbox will appear where you can insert a query, insert this:

DROP USER 'pma'@'localhost';

4. Click on Execute, if you get any error post it in this thread and we'll try to help you.

Now to be sure it worked, logout from phpmyadmin and try to login with the user pma without any password. If it doesn't work then your server should be secure against this vulnerability.

 

[Mark]

No, it's not.

 

[sonata]

uh..i cant get it to work like i clik the sqlbutton next to exit but it does not work..

 

[Feloth]

Make sure you dont have a popup-blocker activated.

 

[Metem]

In new xampp I must delete pma too?

 

[Mark]

In new xampp I must delete pma too?

Unless "new" XAMPP has set a random password for it by default, you should either delete it or set a password to it. If you don't care about pmadb you can just delete it.

 

[christiandb]

Just a question, what's the plus of the pmadb?

 

[Mark]

Just a question, what's the plus of the pmadb?

You can find information about pmadb here: pmadb - PmaWiki.

 

[richux]

Thank you. I hope this will help me.

 

[TKO]

one things is when i add that i cant close my mysql server-.-

 

[Pietia]

one things is when i add that i cant close my mysql server-.-

so just change password of pma.

 

[trixet]

The way I am doing it:
Moving the pmabd (PhpMyAdmin) folder somewhere else - I do not delete it since i might need it sometimes.

And also, to manage my database I am using Navicat, it is a great tool which i recommend to everyone.

 

[Mark]

The way I am doing it:
Moving the pmabd (PhpMyAdmin) folder somewhere else - I do not delete it since i might need it sometimes.

And also, to manage my database I am using Navicat, it is a great tool which i recommend to everyone.

Hiding a security leak is not a good way to solve it. If you want to keep the pmadb features then just put a password on the pma user and then also set it in phpMyAdmins config file.

 

[UpAndDown]

When I try to change my password on user "pma" I get this message;

Fout

SQL-query:

SET PASSWORD = PASSWORD( '***' )

MySQL retourneerde: Documentatie
#1044 - Access denied for user ''@'localhost' to database 'mysql'

Connection for controluser as defined in your configuration failed.

Sincerely,
UpAndDown.

 

[thisismeto]

i cant find the #6 Use the 'File to import' part, select forgottenserver.sql and press on 'Go'.
were i find that file?

 

[drax skylon]

thanks a lot Talaturen!!!
It work^^

Cya^.-

 

[richux]

Ok. I got fu** up situation here. I started my own ot yesterday and after like 6 hours I logged in(at night) and there were polcaks owning my server. One of them was running with my gm char, others were high lvls and did random stuffs. How is that possible, I executed this command in myadmin, why do I still get hacked?

 

[Mark]

Did you have a password on the root user? Are you sure that all software you are running is up to date and not vulnerable to any kind of attack?

 

[richux]

Did you have a password on the root user? Are you sure that all software you are running is up to date and not vulnerable to any kind of attack?

The problem is that im not sure for nothing at all. Im total newbie and I dont know what do I have to do to protect myself.
Here is some info:

windows 5.1 Build 2600 platform 2 service pack 2D)
Yes, I got password on root, and I always have to use password when I login in my phpmyadmin.
ALso there is one other thing that you definetly should know-when I visit my website I always get warning from my browser(google chrome) that entering my site is very dangerous. It says that in my site there is chura.pl elements or something.

PS. I dont have antivirus. Only firewall on. But Im almost 100% sure there are no keyloggers in my pc cuz I recently reninstalled whole windows. Also its theese guys who hacked me were polacks. So...chura.pl and polacks... sounds strange

 

[Chris]

The problem is that im not sure for nothing at all. Im total newbie and I dont know what do I have to do to protect myself.
Here is some info:

windows 5.1 Build 2600 platform 2 service pack 2D)
Yes, I got password on root, and I always have to use password when I login in my phpmyadmin.
ALso there is one other thing that you definetly should know-when I visit my website I always get warning from my browser(google chrome) that entering my site is very dangerous. It says that in my site there is chura.pl elements or something.

PS. I dont have antivirus. Only firewall on. But Im almost 100% sure there are no keyloggers in my pc cuz I recently reninstalled whole windows. Also its theese guys who hacked me were polacks. So...chura.pl and polacks... sounds strange

I would recommend you to download Spybot search&destroy, perhaps even a few other tools. If that doesn't work I'd recommend a fresh install of your OS as it seems to be the only reasonable way to get rid off jl.chura.pl virus (been doing some research).

 

[richux]

I would recommend you to download Spybot search&destroy, perhaps even a few other tools. If that doesn't work I'd recommend a fresh install of your OS as it seems to be the only reasonable way to get rid off jl.chura.pl virus (been doing some research).

That would probably fix it. But is there a way how to reninstall windows without loosing database? I always loose all datas and my database doesn't work anymore after reninstalling windows.

Thank you.