Security A warning to everyone who's running XAMPP.

I've recently seen alot of users getting hacked, so I've used some of my free time to look into this and I found a "security vulnerability" in phpMyAdmin which comes with XAMPP. The control user pma comes with an empty password as default, and XAMPP does not alert the user about this.

I'm not going to explain in details how you can take advantage of this vulnerability, but to explain it in a single sentence: the user pma has more permissions than it should have.

NOTE: The instructions below will break pmadb. pmadb is not necessary to host an OpenTibia server, so if you want to make this easy for you it's just to drop the control user. If you want to keep pmadb and fix this the proper way you can do as stated in the "Change the password of the “pma” user in phpMyAdmin" section here: XAMPP Security: Create “pma” Password Not Covered by the Security Script and Password Protect XAMPP Folders and Directories.

Instructions to drop the control user:
1. Enter phpMyAdmin with root user.
2. Below the phpMyAdmin logo (at the left sidebar) you can see a button that has the text SQL, click on it.
3. A textbox will appear where you can insert a query, insert this:

DROP USER 'pma'@'localhost';

4. Click on Execute, if you get any error post it in this thread and we'll try to help you.

Now to be sure it worked, logout from phpmyadmin and try to login with the user pma without any password. If it doesn't work then your server should be secure against this vulnerability.

 

[sorcerers king]

Thanks working.

 

[Atleta]

I knew about this since forever: P

 

[Smoker Boy]

Going to try it out!

 

[Djivar]

I can't even log in to my mysql server :S and i havent done anything :S

 

[GuHB]

I got this .

I just paste and execute things on SQL.
I cant acess the database. if anyone user or password.

Help Fast please.

How can i revert the procediment? :S Or save the actuality database.?

 

[wilkerhell]

@GuHB

Only Enter: http://localhost:8090/phpmyadmin/index.php

;D

 

[Vagabond]

I get this when I follow these steps.

Connection for controluser as defined in your configuration failed.

you should update config.inc.php as well.
It should be noted that the newest version of xampp seems to generate a random password for the PMA user. That or I did it myself and forgot, dunno, it's worth checking.
It's "$cfg['Servers'][$i]['controlpass']" in config.inc.php

 

[gerberos]

Hmm yeah I shall watch out for this. Good you notified us.

 

[Roykuss]

I tried this and now my OT wont lemme get on nor will it let anyone else get on ingame...

 

[Sir Blondi]

Thanks alot

 

[WibbenZ]

@GuHB

Only Enter: http://localhost:8090/phpmyadmin/index.php

;D

wtf
u mean http://localhost/phpmyadmin/index.php??

 

[GOD Half]

Thanks! S2 ;p

 

[Manga Siza]

careful

 

[kasea]

This happens everytime i start to load it up ... what should i do?

 

[kasea]

ImageShack® - Online Photo and Video Hosting
is the link

 

[Sir MoX]

"The next page will show 2 users, “pma” and “root”. On the right side of the row for “pma” is this symbol: , click on it to edit the properties for “pma”.

I dont have 2 users.... I have only root

 

[RazorBlade]

Then obviously you're safe.

 

[Sir MoX]

ok thnks =)

 

[Fu Manchu]

So just don't use Xampp. Lol simple fix uniserver ftw? no?

 

[devianceone]

So just don't use Xampp. Lol simple fix uniserver ftw? no?

No, uniserver is garbage. When I tried it on a VM with XP, it struggled to do simple things like not install services when I simply don't them and the control panel couldn't even properly do simple security checks.