Security A warning to everyone who's running XAMPP.

I've recently seen alot of users getting hacked, so I've used some of my free time to look into this and I found a "security vulnerability" in phpMyAdmin which comes with XAMPP. The control user pma comes with an empty password as default, and XAMPP does not alert the user about this.

I'm not going to explain in details how you can take advantage of this vulnerability, but to explain it in a single sentence: the user pma has more permissions than it should have.

NOTE: The instructions below will break pmadb. pmadb is not necessary to host an OpenTibia server, so if you want to make this easy for you it's just to drop the control user. If you want to keep pmadb and fix this the proper way you can do as stated in the "Change the password of the “pma” user in phpMyAdmin" section here: XAMPP Security: Create “pma” Password Not Covered by the Security Script and Password Protect XAMPP Folders and Directories.

Instructions to drop the control user:
1. Enter phpMyAdmin with root user.
2. Below the phpMyAdmin logo (at the left sidebar) you can see a button that has the text SQL, click on it.
3. A textbox will appear where you can insert a query, insert this:

DROP USER 'pma'@'localhost';

4. Click on Execute, if you get any error post it in this thread and we'll try to help you.

Now to be sure it worked, logout from phpmyadmin and try to login with the user pma without any password. If it doesn't work then your server should be secure against this vulnerability.

 

[Binho®]

After installing mysql packets you should type:

mysql_secure_installation

what will fix up all vulnerabilities.

Yeap...

Look it option:

By default, a MySQL installation has an anonymous user, allowing anyone
to log into MySQL without having to have a user account created for
them. This is intended only for testing, and to make the installation
go a bit smoother. You should remove them before moving into a
production environment.
Remove anonymous users? [Y/n] y
... Success!

It remove all anonymous users, because... i could not before drop pma user.
Now...
#1045 - Access denied for user 'pma'@'localhost' (using password: NO)
#1045 - Access denied for user 'pma'@'localhost' (using password: YES)

I do not use XAMPP, and had the same problem.

thankxD

 

[Ferchox]

So this, lets call it " security error" could destroy our games databases?

 

[JayBeee]

Yes.

 

[Elesh1337]

lol look, they can't access the databases? then why is it dangerous?

 

[JayBeee]

lol look, they can't access the databases? then why is it dangerous?

http://otland.net/f151/tfscms-beta-2-vulnerable-i-got-hacked-15233/

Done with the pma user.

 

[Nikkster]

http://otland.net/f151/tfscms-beta-2-vulnerable-i-got-hacked-15233/

Done with the pma user.

How? , I don't know that much about hacking database stuff..

 

[Master-m]

How? , I don't know that much about hacking database stuff..

For the last time at all people who want to ask how its done. We do not give the information on how to hack servers.

 

[Barpel]

I tried it on 4 OTservers - it works. (No, I am not a hacker)
Delete this user from database if you don't want to be hacked.

 

[EvulMastah]

For the last time at all people who want to ask how its done. We do not give the information on how to hack servers.

Why?

 

[Elox]

Why?

Obviously 'cause they don't want all wannabe hackers going around fauqking up servers? :huh:

 

[EvulMastah]

Obviously 'cause they don't want all wannabe hackers going around fauqking up servers? :huh:

Its better to have wannabe hackers than wannabe ots owners.

 

[Elox]

Its better to have wannabe hackers than wannabe ots owners.

I rather host an server than going around destroying other peoples servers just 'cause you're jealous of 'em. <_<
Hacking servers is just lame.

 

[Velik]

At last, Vertrigo Web Server can have this security vulnerability?
Because use same PhpMyAdmin "i think", i need take care with PhpMyAdmin too?

:blink:

 

[Le Kriss]

It's work, but... What it exactly do ? :/ (secure my DB from hackers) ??

 

[Inteligentny]

Tala If I put in phpmyadmin/index.php on the top file - this lines, can I be sure that nobody can enter my database?

echo "<h1>Forbidden<br /></h1> You don't have permission to access /phpmyadmin on this server.";
exit;

Also I droped pma user, Im save in 100% now?:>

 

[Raffe]

Ppl learn how to do that By milworm..

 

[Download]

@Raffe
It's not even listed there yet...
PS: The funniest part is uploading a backdoor/trojan horse and formatting their computer : ]

 

[Master-m]

@Raffe
It's not even listed there yet...
PS: The funniest part is uploading a backdoor/trojan horse and formatting their computer : ]

Nop The funniest part is to Deface you =D

 

[kornholi]

I rather host an server than going around destroying other peoples servers just 'cause you're jealous of 'em. <_<
Hacking servers is just lame.

Lame because you do not understand how it works :thumbup:, nor do most "hackers"

Still, full disclosure rocks until many l33b haxx0rs go abuse it :/

 

[Mokerhamer]

Lame because you do not understand how it works :thumbup:, nor do most "hackers"

Still, full disclosure rocks until many l33b haxx0rs go abuse it :/

I admid to abuse this bug on many servers, But not do do harm many gm's dont belive me untill i log in on there gm, I request them to add me on msn and i explain how this wass possible and how to avoid it.

Untail now i have "hacked" around 8 Otservers, And the have been securit now, but for some servers my help just came a few days to late so i couldeld help them a fun 100%, the only way i could help them was how to avoid it.