Security A warning to everyone who's running XAMPP.

I've recently seen alot of users getting hacked, so I've used some of my free time to look into this and I found a "security vulnerability" in phpMyAdmin which comes with XAMPP. The control user pma comes with an empty password as default, and XAMPP does not alert the user about this.

I'm not going to explain in details how you can take advantage of this vulnerability, but to explain it in a single sentence: the user pma has more permissions than it should have.

NOTE: The instructions below will break pmadb. pmadb is not necessary to host an OpenTibia server, so if you want to make this easy for you it's just to drop the control user. If you want to keep pmadb and fix this the proper way you can do as stated in the "Change the password of the “pma” user in phpMyAdmin" section here: XAMPP Security: Create “pma” Password Not Covered by the Security Script and Password Protect XAMPP Folders and Directories.

Instructions to drop the control user:
1. Enter phpMyAdmin with root user.
2. Below the phpMyAdmin logo (at the left sidebar) you can see a button that has the text SQL, click on it.
3. A textbox will appear where you can insert a query, insert this:

DROP USER 'pma'@'localhost';

4. Click on Execute, if you get any error post it in this thread and we'll try to help you.

Now to be sure it worked, logout from phpmyadmin and try to login with the user pma without any password. If it doesn't work then your server should be secure against this vulnerability.

 

[Master-m]

I admid to abuse this bug on many servers, But not do do harm many gm's dont belive me untill i log in on there gm, I request them to add me on msn and i explain how this wass possible and how to avoid it.

Untail now i have "hacked" around 8 Otservers, And the have been securit now, but for some servers my help just came a few days to late so i couldeld help them a fun 100%, the only way i could help them was how to avoid it.

You should't tell them how you did it. I just logged in on some ot's and dropped pma and logged out.

 

[Mokerhamer]

You should't tell them how you did it. I just logged in on some ot's and dropped pma and logged out.

I tryt that to but you cant drop pma user when you are logged in pma user! thats why i needed to do that. Ofcourse i give way to mutch info but the are securit.

 

[Taturana182]

on my phpMyAdmin the pma user can be accessed only by localhost and there's no password really, but if other users there are not in localhost can't access there's no problem of no password right?

 

[Elox]

Lame because you do not understand how it works :thumbup:, nor do most "hackers"

Still, full disclosure rocks until many l33b haxx0rs go abuse it :/

I don't understand why it's fun to destroy random peoples servers.
Sure would be fun to destroy for someone you hate but not random people.
You don't gain anything in destroying it.. Ah well everyone thinks differently.

 

[Nikkster]

It's work, but... What it exactly do ? :/ (secure my DB from hackers) ??

Yes, you're right.

 

[Master-m]

I tryt that to but you cant drop pma user when you are logged in pma user! thats why i needed to do that. Ofcourse i give way to mutch info but the are securit.

It works by me;o

 

[Raffe]

Yea it's work , thx talaturen // raffe

 

[DX~]

omg! Thanks Talaturen, i decided to change the pma password instead to delete it

and.. Rob's Rox xD

Greetings
DX~

 

[mamon_2]

Damn I have PHPMYADMIN 3.1.1 and it doesnt let me DROP PPMA user =(

UP---

On the newest version, just set a pass to root, then enter to de database and then search the button "Privileges", delete de user pma, or set a password.

 

[Danxo]

i cant get it to work, i have PHPMYADMIN 3.1.1 (i think)

 

[Mark]

If you can't drop the pma user then change the password on it.

 

[mamon_2]

Thanks Tala, I made it.

 

[Devhir]

Thanks Tala.... but i prefer the more advance option, it gives this message "Cannot log in to the MySQL server" rather than "#1045 - Access denied for user ‘pma’@'localhost’ (using password: NO)" and it really isn't all that long.

Another great help by the Amazing Talaturen

 

[LoLaye]

plz help me .. when i get in http://localhost/security/xamppsecurity.php there is something and i can´t open it ;S add my msn : [email protected] and help me :S thanks.

Yours Lolaye

 

[Enxorix]

I kicked it at my friends Database... puhh lucky him xD

 

[Nikkster]

plz help me .. when i get in http://localhost/security/xamppsecurity.php there is something and i can´t open it ;S add my msn : [email protected] and help me :S thanks.

Yours Lolaye

Close your firewall and access it.

 

[Leo135]

#1396 - Operation DROP USER failed for 'pma'@'localhost'

Anyone who knows what's wrong?

 

[JayBeee]

You need to be logged in on root to remove PMA, you're logged in as PMA...

 

[arminfific]

http://img412.imageshack.us/my.php?image=13837915em1.png

Someone can tell me whats wrong?

 

[Arree]

i can log in with pma but it dosnt shows all things. it cant creat databases and it dosnt show all databases, just "information_schema (28)" and "test"

is that ok?