Apache Friends Support Forum

by **feck** » 15. November 2012 15:56

I've just noticed after installing XAMPP for the first time in months that in phpMyAdmin users section that there are quite a few other users including:

I came across this after googling XAMPP security and found a tutorial on some extra security considerations around XAMPP http://robsnotebook.com/xampp-security-hardening, telling me that user pma is pre-installed and doesn't require a password, which neets to be changed in the config.inc.php file. Now this tutorial was from 2007, and i was wondering what the exact implications of this are? Whilst writing this post i noticed that from the Users overview panel in phpMyAdmin above that it seemed that i can just make up a name and leave the password blank and still log in, which i did and was successful. As a complete starter in XAMPP, again what are the implications of this, does this leave my system open to abuse and how do i change it?

Also what other potential security holes should i be looking for and plugging?

by **JonB** » 19. November 2012 23:50

If you don't forward ports 80, 443, or 3306 (http,https, and MySQL) on your router and your machine is not directly connected to internet, there are no securitry issues to button up really.

Generally you should have one MySQL user per 'type' of application. The 'root' user should be secured on all hosts. MySQL defines users in terms of host connections. So there is a 'root' @ 'localhost', which has a separate set of permissions/privileges from 'root' @ '%' any host (which should be narrower probably) or 'root' @ 'xxx.yy.zz.nn' or 'root' @ 'host.domain.tld' (meaning 'root' logging in FROM those hosts) EACH has its own entry in the mysql/user table - which means they are treated separately. 'pma' is a special user for phpMyAdmin. If you examine the 'Any' entries, you should see they have 'no' privileges.

GO to Database>mysql>table>user and you can browse what is going on...

Code: Select all: SQL result Host: localhost Database: mysql Generation Time: Nov 19, 2012 at 11:45 PM Generated by: phpMyAdmin 3.5.2 / MySQL 5.5.25a SQL query: SELECT * FROM `user` LIMIT 0, 30 ; Rows: 7 Host User Password Select_priv Insert_priv Update_priv Delete_priv Create_priv Drop_priv Reload_priv Shutdown_priv Process_priv File_priv Grant_priv References_priv Index_priv Alter_priv Show_db_priv Super_priv Create_tmp_table_priv Lock_tables_priv Execute_priv Repl_slave_priv Repl_client_priv Create_view_priv Show_view_priv Create_routine_priv Alter_routine_priv Create_user_priv Event_priv Trigger_priv Create_tablespace_priv ssl_type ssl_cipher x509_issuer x509_subject max_questions max_updates max_connections max_user_connections plugin authentication_string localhost root *1148F7B52BFDDB63C95CC73056410AD3A70F Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y [BLOB - 0 B] [BLOB - 0 B] [BLOB - 0 B] 0 0 0 0 [BLOB - 0 B] linux root Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y [BLOB - 0 B] [BLOB - 0 B] [BLOB - 0 B] 0 0 0 0 [BLOB - 0 B] localhost *61843C6664DA1312B5F4716ED62152FF4B20 N N N N N N N N N N N N N N N N N N N N N N N N N N N N N [BLOB - 0 B] [BLOB - 0 B] [BLOB - 0 B] 0 0 0 0 [BLOB - 0 B] linux N N N N N N N N N N N N N N N N N N N N N N N N N N N N N [BLOB - 0 B] [BLOB - 0 B] [BLOB - 0 B] 0 0 0 0 [BLOB - 0 B] localhost pma N N N N N N N N N N N N N N N N N N N N N N N N N N N N N [BLOB - 0 B] [BLOB - 0 B] [BLOB - 0 B] 0 0 0 0 [BLOB - 0 B] % jonb *05363F68CCCC3F775C0AF7541DA7E682E048 N N N N N N N N N N N N N N N N N N N N N N N N N N N N N [BLOB - 0 B] [BLOB - 0 B] [BLOB - 0 B] 0 0 0 0 [BLOB - 0 B] localhost ODBC N N N N N N N N N N N N N N N N N N N N N N N N N N N N N [BLOB - 0 B] [BLOB - 0 B] [BLOB - 0 B] 0 0 0 0 [BLOB - 0 B]

You can also read what this guy :mrgreen:

wrote other XAMPp security stuff:
http://bravo.newnetenterprises.com/word ... -security/

Little has changed since I wrote that... But I see I should add a section on MySQL users.

Good Luck

Apache Friends Support Forum

security of XAMPP

security of XAMPP

Re: security of XAMPP

Who is online