Security A warning to everyone who's running XAMPP.

I've recently seen alot of users getting hacked, so I've used some of my free time to look into this and I found a "security vulnerability" in phpMyAdmin which comes with XAMPP. The control user pma comes with an empty password as default, and XAMPP does not alert the user about this.

I'm not going to explain in details how you can take advantage of this vulnerability, but to explain it in a single sentence: the user pma has more permissions than it should have.

NOTE: The instructions below will break pmadb. pmadb is not necessary to host an OpenTibia server, so if you want to make this easy for you it's just to drop the control user. If you want to keep pmadb and fix this the proper way you can do as stated in the "Change the password of the “pma” user in phpMyAdmin" section here: XAMPP Security: Create “pma” Password Not Covered by the Security Script and Password Protect XAMPP Folders and Directories.

Instructions to drop the control user:
1. Enter phpMyAdmin with root user.
2. Below the phpMyAdmin logo (at the left sidebar) you can see a button that has the text SQL, click on it.
3. A textbox will appear where you can insert a query, insert this:

DROP USER 'pma'@'localhost';

4. Click on Execute, if you get any error post it in this thread and we'll try to help you.

Now to be sure it worked, logout from phpmyadmin and try to login with the user pma without any password. If it doesn't work then your server should be secure against this vulnerability.

 

[Master-m]

That would probably fix it. But is there a way how to reninstall windows without loosing database? I always loose all datas and my database doesn't work anymore after reninstalling windows.

Thank you.

Press "Export".

 

[richux]

Press "Export".

But when I try to import my exported database it gives me lot of errors(I cant import it again). Does someone know why? And how to fix it?

 

[Master-m]

Try updating phpmyadmin^^

 

[JayBeee]

That would probably fix it. But is there a way how to reninstall windows without loosing database? I always loose all datas and my database doesn't work anymore after reninstalling windows.

Thank you.

Save your xampp directory on a flash-drive.

 

[richux]

Try updating phpmyadmin^^

I think its already up to date. I got xampp 1.7.1

Save your xampp directory on a flash-drive.

As I understand, if I will save my C:xampp folder on a flash drive/reninstall my operating system/install new fresh xampp/and finally copy my old xampp folder on fresh one my database will not be gone?

PS. Im scanning my pc atm, maybe it will fix it. Also funny that now, after installing antivirus I can't wiev my page and Im getting same error abour chura.pl After some googling I found out that its hard to remove it with antiviruses/anti-malware softs. I will probably have to reninstall whole system. But I dont want to do that if Im not sure that I will not loose database.

 

[richux]

Sorry, seems like I have given you all wrong information. I just tried to login in my phpmyadmin with user pma and no password. And I logged. But phpmyadmin looks totally different from the one Im used to login:





There are no databaases, I cant create an also. It says I dont have privilegy to create new database.

Can someone explain me what is wrong?

 

[Master-m]

I think its already up to date. I got xampp 1.7.1



As I understand, if I will save my C:xampp folder on a flash drive/reninstall my operating system/install new fresh xampp/and finally copy my old xampp folder on fresh one my database will not be gone?

PS. Im scanning my pc atm, maybe it will fix it. Also funny that now, after installing antivirus I can't wiev my page and Im getting same error abour chura.pl After some googling I found out that its hard to remove it with antiviruses/anti-malware softs. I will probably have to reninstall whole system. But I dont want to do that if Im not sure that I will not loose database.

xampp uses an outdated version of phpmyadmin, download newest phpmyadmin and replace it with the one in the xampp folder^^

 

[Chris]

The PMA user is simply a control user, you do not have administrative permissions on it although there are ways to get into your root user through it. I'd recommend you to delete it ASAP.

When it comes to your issue regarding the chura.pl virus, I would recommend you, as previously done, to reinstall your computer from scratch. Do NOT save your entire XAMPP folder as you can never be entirely sure which files has been infected by it. Therefore I'd say you should export your databases, save all necessary files. If any errors occurr while trying to import your database later, you could always post them here on the forum and we'll do our best to help you with it.

 

[richux]

Hello dear tibians! Please be so nice and help me if you got time.

So, as some of you already read in my previous posts - someone somehow got acces to my database and also I was infected with ~chura.pl virus. So I decided to reninstall my OS. This time I want to be sure to do everything right. So I will ask you some things that Im not sure about.

1) As you can see some things are not SECURE in my localhost or w/e it is. Wich of them should stay as they are? Wich ones I need to fix? How do I fix the ones I need?




2)I can't drop pma admin:




After executing command in phpmyadmin I still can login with pma and no password.


Do I have set password for my phpmyadmin?
Yes! I use use:Root/mypass to login in phpmyadmin.

Well...that's all for this time

Thank you!:thumbup:

 

[Master-m]

secure the xampp page by going to http://localhost/security/ ? not sure.

Login on root ,press privedges and set a passwd on pma insteed

 

[richux]

secure the xampp page by going to http://localhost/security/ ? not sure.

Sry, but I didnt understand you.

Login on root ,press privedges and set a passwd on pma insteed

Im not sure what is privedges, but yes, I pressed "change password" in my root(phpmyadmin or w/e it is)

Also if you have free time and want to help me, feel free to add my msn [email protected]

 

[Master-m]

Sry, but I didnt understand you.



Im not sure what is privedges, but yes, I pressed "change password" in my root(phpmyadmin or w/e it is)

Also if you have free time and want to help me, feel free to add my msn [email protected]

well do the same for pma^^.

I was talking about the first screenshot. Its better to secure that also.

 

[richux]

well do the same for pma^^.

I was talking about the first screenshot. Its better to secure that also.

1) Shouldn't pma be dropped?

2)Man, Im dummie and if you would read again you could see that i asked Wich one? and how? Sry, but I have no idea how to secure theese things. Could you explain me?


EDIT:

Im getting this error when trying to change password in pma:






PS. I'm even ready to give you acces to my pc with remote desktop, if you would like to help me.(that would be much easier)

 

[Benny]

i got narozia through this shit while they was changing databases or some shit ;P

 

[richux]

i got narozia through this shit while they was changing databases or some shit ;P

So maybe you can help me? Or you said it and want me to pray you!? Why are you posting something like this, if you don't want to help people, don't post anything at all.

 

[Master-m]

Try to login with the root user and then change the pma password.

 

[richux]

Try to login with the root user and then change the pma password.

Thats exacly what I was doing! I can't drop pma admin even if I have logged out of it and logged on root/password.


EDIT: If you don't belive me, I can allow connect you to my desktop with remote desktop tool and you can try to drop pma! Let me know if you want- [email protected]

 

[Lady Heavens]

OMGGG good thxxx

 

[GoD Axel]

Thx!!!!!!!

 

[Doonrak]

i got narozia through this shit while they was changing databases or some shit ;P

we used pma :blink:?