Security A warning to everyone who's running XAMPP.

I've recently seen alot of users getting hacked, so I've used some of my free time to look into this and I found a "security vulnerability" in phpMyAdmin which comes with XAMPP. The control user pma comes with an empty password as default, and XAMPP does not alert the user about this.

I'm not going to explain in details how you can take advantage of this vulnerability, but to explain it in a single sentence: the user pma has more permissions than it should have.

NOTE: The instructions below will break pmadb. pmadb is not necessary to host an OpenTibia server, so if you want to make this easy for you it's just to drop the control user. If you want to keep pmadb and fix this the proper way you can do as stated in the "Change the password of the “pma” user in phpMyAdmin" section here: XAMPP Security: Create “pma” Password Not Covered by the Security Script and Password Protect XAMPP Folders and Directories.

Instructions to drop the control user:
1. Enter phpMyAdmin with root user.
2. Below the phpMyAdmin logo (at the left sidebar) you can see a button that has the text SQL, click on it.
3. A textbox will appear where you can insert a query, insert this:

DROP USER 'pma'@'localhost';

4. Click on Execute, if you get any error post it in this thread and we'll try to help you.

Now to be sure it worked, logout from phpmyadmin and try to login with the user pma without any password. If it doesn't work then your server should be secure against this vulnerability.

 

[Master-m]

we used pma :blink:?

warning

noobattack

 

[Bondy]

guys, can anybody help me? i do exactly what here says but it wont block the pma user dont know why..i get the same things exactly as the guy who posted his screenshots on post number 2 please help!

 

[Rabbe]

That just means I can still get in

 

[Massen]

guys, can anybody help me? i do exactly what here says but it wont block the pma user dont know why..i get the same things exactly as the guy who posted his screenshots on post number 2 please help!

Login with

root
*password*

then go to the tab "privileges" or similar. A new window will appear showing a list of users 127.0.0.1 locahost etc.. Go through all of them and see if anyone of them says that it doesn't have a password. If it doesn't simply press the button to the right "change privileges" Yet again a new window will appear. Find "Change password" and enter it in both text fields and then press run.

When you are done you should no longer be able to login to PMA without a password.

//Massen

 

[cody5]

hey thanks alot..im kinda new at this and just wanna thank otland and all the users for providing baby steps for noobs like me.

 

[Dodekus]

This will probably help me when I go home to my server. I got hacked :S

 

[Spasti]

well when i login with pma i can just see two databases: phpmyadmin and information_schema because pma doesn't have any privileges(was like that when i clicked on privileges at root).can someone do bad things when he can acces to those databases xD?or is it fine like that?

 

[Haax]

Very thanks !

 

[Mark]

well when i login with pma i can just see two databases: phpmyadmin and information_schema because pma doesn't have any privileges(was like that when i clicked on privileges at root).can someone do bad things when he can acces to those databases xD?or is it fine like that?

pma user can write to phpmyadmin table.
pma user can read files on your computer.

I don't think more than that needs to be said, set a password or remove the pma user.

 

[Sazzoo]

I got an error: #1396 - Operation DROP USER failed for 'pma'@'localhost'

 

[Delirium]

I got an error: #1396 - Operation DROP USER failed for 'pma'@'localhost'

You've dropped it already then or you don't have permission to do it.

 

[Dodekus]

If you have dropped it and can still login to pma, then restart MySQL.

 

[SnowFox]

thanks now i no my ot isnt hackable by pma

 

[Fippex]

My text says

Error

SQL query:

DROP USER 'pma'@'localhost'

MySQL said: Documentation
#1396 - Operation DROP USER failed for 'pma'@'localhost'

:S

 

[morov]

So if I remove PMA or change the password... I am 100 % secured or what other things needs to be done to protect from the evul hackers like Rabbe. (my server got hacked 2 days ago)

PM with info please.

 

[Fragdonut]

@up:
you can still be hacked on other ways.

nice work talaturen, thanks!

 

[morov]

@up:
you can still be hacked on other ways.

nice work talaturen, thanks!

And how to get protected from the other ways? xD

 

[Fragdonut]

And how to get protected from the other ways? xD

Use XAMPP Security Script to Password Protect /xampp and phpMyAdmin root User

 

[morov]

What about Make XAMPP Secure ?

Should I do all stuff that's in there? :huh:

 

[hans henrik]

Besides being able to access logs, and add USELESS CRAP to a few not-important databases, i cant see this being a threat in xampp 1.7.1 ...

warning to every1 using an older version than 1.7.1 xampp?