Warning to Xampp users (hacking vulnerable) Read security.

Problems with the Windows version of XAMPP, questions, comments, and anything related.

Warning to Xampp users (hacking vulnerable) Read security.

Postby Znote » 17. November 2008 18:21

www.otland.net has an error report.

Not active here, so not sure if you guys knew it. Sorry if its already been posted about and solved.

Posted by Talaturen:
I've recently seen alot of users getting hacked, so I've used some of my free time to look into this and I found a security vulnerability in phpMyAdmin which comes with XAMPP.

I'm not going to explain in details how you can take advantage of this vulnerability, but to explain it in a single sentence: the user pma has more permissions than it should have.

Do the following things to protect your server:
1. Enter phpMyAdmin with root user.
2. Below the phpMyAdmin logo (at the left sidebar) you can see a button that has the text SQL, click on it.
3. A textbox will appear where you can insert a query, insert this:
Code: Select all
DROP USER 'pma'@'localhost';

4. Click on Execute, if you get any error post it in this thread and we'll try to help you.

Now to be sure it worked, logout from phpmyadmin and try to login with the user pma without any password. If it doesn't work then your server should be secure against this vulnerability.

Posted by Mokerhamer:
Yes but it seemed that phpmyadmin 2.11.7 is NOT protected for it and phpmyadmin 2.11.9.2 is.


Hope this will help some Xampp users to prevent being hacked.

Note: What can some users do with access to this vulnerable pma user?

Upload php scripts to your apache host. The more advance php script, the more dangerous. Its recommended remove this user.
Znote
 
Posts: 20
Joined: 17. November 2008 18:15

Postby Dave_L » 17. November 2008 19:39

My 'pma' user has a password. It's not something I have to remember or type in, so it's a long string of random characters.

But that user also has very restricted privileges.
User avatar
Dave_L
 
Posts: 212
Joined: 23. October 2004 00:43

Postby Sharley » 17. November 2008 19:44

User pma is the control user and if removed issues will ensue. Just make sure that the root user sets the pma user permissions to SHUTDOWN only.

http://community.apachefriends.org/f/viewtopi ... 3400#83400
http://community.apachefriends.org/f/viewtopic.php?t=31516

readme-en.txt wrote:A matter of security (A MUST READ!)

As mentioned before, XAMPP is not meant for production use but only for developers in a development environment. The way XAMPP is configured is to be open as possible and allowing the developer anything he/she wants. For development environments this is great but in a production environment it could be fatal.

Znote wrote:www.otland.net has an error report.
IMHO not a very authoritative or reliable information source.
User avatar
Sharley
AF Moderator
 
Posts: 3316
Joined: 03. October 2008 05:10
Location: Yeppoon, Australia Time Zone: GMT/UTC+10
Operating System: Win 7 Pro 32bit/XP Pro SP3

Postby Nobbie » 17. November 2008 20:29

Posted by Talaturen:


.. blabla unimportant stuff.

Posted by Xampp: (very very very many times - in vain. obviously):

DONT USE XAMPP FOR PRODUCTIVE SERVER. IT IS A DEVELOPMENT ENVIRONMENT, NOT A PRODUCTIVE ENVIRONMENT.

Some people still dont understand....
Nobbie
 
Posts: 13170
Joined: 09. March 2008 13:04

Postby Znote » 18. November 2008 20:58

Sharley wrote:
Znote wrote:www.otland.net has an error report.
IMHO not a very authoritative or reliable information source.


www.otland.net is a forum merely based on a game, but since we use XAMPP for apache hosting and SQL database, we still finds errors. (errors and errors <.< sorry, but I think its a pretty harse misstake to make it possible to do such things. Its not an directly error.)

XAMPP might not be a preferable system to host this, as several posts here are saying, but it is user friendly, and an easy way for new beginners to get the gasp of using its features.

I am using a slightly modified version of XAMPP for my homepage, at www.z-note.net. And it seem to be working pretty good.

By the way, does anybody here recomand any other tools thats similar to XAMPP to use? :P

Also, I apologize if this has been about before, I am not active on this forum, and I am not experienced about this.

Nobbie wrote:Posted by Xampp: (very very very many times - in vain. obviously):

DONT USE XAMPP FOR PRODUCTIVE SERVER. IT IS A DEVELOPMENT ENVIRONMENT, NOT A PRODUCTIVE ENVIRONMENT.


Often new users are entering the Internet, and joins the part of some kind of forums.

As long as it keeps flooding in new beginners, who haven't had time to read every forum that exists in the world, there will always be un-experienced users, who have no idea about what the hell your talking about. (a). [sorry my language, and this is no offense]. {Im trying to not get flamed HAHA XD}
Znote
 
Posts: 20
Joined: 17. November 2008 18:15

Re: Warning to Xampp users (hacking vulnerable) Read security.

Postby angero » 01. September 2009 12:42

(...)I'm not going to explain(...)


You act like "here is vulnerable, I wont tell you where, go search for it in all xampp and fix it"

If you want someone repair it you should explain best you can where is vulnerable, so it can be repaired easy.
angero
 
Posts: 1
Joined: 01. September 2009 12:35


Return to XAMPP for Windows

Who is online

Users browsing this forum: No registered users and 148 guests