Problems with MYSQL root password security

Problems with the Windows version of XAMPP, questions, comments, and anything related.

Problems with MYSQL root password security

Postby ldctaylor » 30. March 2009 17:44

Hi,

I have just installed XAMPP, and set a password for the MYSQL root user. If I type in "mysql -u root -p" in the cmd prompt, I am prompted for the password (expected behaviour).

However, when I navigate to localhost/phpmyadmin, I am not prompted to enter the password and I am able to add dbs/tables etc without any prompt for a password. My phpconfig file is as follows:

/* Authentication type and info */
$cfg['Servers'][$i]['auth_type'] = 'config';
$cfg['Servers'][$i]['user'] = 'root';
$cfg['Servers'][$i]['password'] = 'lwdonmyD';
$cfg['Servers'][$i]['AllowNoPasswordRoot'] = false;

Does anyone have any ideas what I need to do? I tried changing "AllowNoPasswordRoot" to true but that didn't make a difference. I am not even sure what that field is for..

Many thanks in advance,
Leah
ldctaylor
 
Posts: 5
Joined: 30. March 2009 17:37

Re: Problems with MYSQL root password security

Postby Wiedmann » 30. March 2009 17:50

and I am able to add dbs/tables etc without any prompt for a password.

Because of "$cfg['Servers'][$i]['auth_type'] = 'config';", phpMyAdmin is using user and password from the config file, and is not asking you for one.
Wiedmann
AF Moderator
 
Posts: 17106
Joined: 01. February 2004 12:38
Location: Stuttgart / Germany

Re: Problems with MYSQL root password security

Postby ldctaylor » 30. March 2009 18:01

Ooooh I see... thanks Wiedmann... so I need to change this to http or cookies, what is the difference between the two? Apologies if that's a really basic question but I am very new to anything techie and am taking it one step at a time! Also would it be better to change 'AllowNoPasswordRoot'] = true ; to false? What does it do?

Many thanks :)
ldctaylor
 
Posts: 5
Joined: 30. March 2009 17:37

Re: Problems with MYSQL root password security

Postby ldctaylor » 30. March 2009 18:07

I've now changed it to http, and I am prompted for a password when accessing localhost/phpmyadmin, but if I navigate to the mysql/bin folder and open mysql.exe, it opens MYSQL without prompting for a password. I am very confused... :roll:
ldctaylor
 
Posts: 5
Joined: 30. March 2009 17:37

Re: Problems with MYSQL root password security

Postby Wiedmann » 30. March 2009 18:16

http or cookies, what is the difference between the two?

http://wiki.phpmyadmin.net/pma/auth_types

Also would it be better to change 'AllowNoPasswordRoot'] = true ; to false? What does it do?

http://wiki.phpmyadmin.net/pma/Config#A ... sswordRoot

but if I navigate to the mysql/bin folder and open mysql.exe, it opens MYSQL without prompting for a password.

You have an anonymous user in MySQL (allows any user name without password).
Wiedmann
AF Moderator
 
Posts: 17106
Joined: 01. February 2004 12:38
Location: Stuttgart / Germany

Re: Problems with MYSQL root password security

Postby ldctaylor » 31. March 2009 07:42

Hi, thanks for the help, I have made some good progress....

I have now changed the authentication mode to cookies and all seems fine... the one thing I am still puzzled by is the fact that double-clicking on mysql.exe in the bin folder allows me to bypass all security and enter mysql without a password. Why / how does this work? Is it an XAMPP default? It seems a bit of a security flaw to me, unless I am missing something (which is likely - given my newbie status). Wiedmann you mentioned an anonymous user - is this a default with the xampp installation? In my mysql users table there is a row with a blank user name and password, which I imagine is the anonymous user you are referring to, except this blank row has no priveleges but when I open mysql.exe I seem to be logged in as a root user because I have full priveleges.
ldctaylor
 
Posts: 5
Joined: 30. March 2009 17:37

Re: Problems with MYSQL root password security

Postby ldctaylor » 31. March 2009 07:46

Actually, I made a mistake. I just went back again and tried to create a db having opened mysql.exe and I got the message that access was denied. So it looks like the anonymous user doesn't have full priveleges, which is good.. so it looks as you seem to expect... thanks ever so much for your guidance. Would still appreciate some feedback on the reasons why there is an anonymous user and the implications of removing it, if anyone feels kindly enough :)
ldctaylor
 
Posts: 5
Joined: 30. March 2009 17:37


Return to XAMPP for Windows

Who is online

Users browsing this forum: No registered users and 92 guests