The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How to force creating a MySQL user

Discussion in 'General Discussion' started by orange7, May 23, 2006.

  1. orange7

    orange7 Member

    Apr 14, 2004
    Likes Received:
    Trophy Points:
    I have an issue, hope someone can help.

    In the past, a lot of the accounts on my server have been hacked. The hackers took the login information out of php scripts and with the usernames and passwords they tried to establish a FTP connection.

    In a lot of cases they were succesfull, cause the users on my server used their main username and password to establish a connection to the MySQL database.

    At this moment both connections work to get a connection from php to the MySQL database:

    $base = "username_database";
    $user = "username_mysqluser";
    $password = "mysqluserpassword";
    $host = "localhost";

    $base = "username_database";
    $user = "usernamecpanel";
    $password = "passwordcpanel";
    $host = "localhost";

    When my clients use their cpanel username and password, those will be saved somewhere in a configuration script. With out of date scripts, hackers will be able to read the username and password and will try to use them to get a FTP connection.

    When succeeding (wich they will) they upload mailers, phishing sites etc. This happened to one of my servers 10 times last month.

    To be able to fight this, I need to find a way to force my clients to make a user for their MySQL connection. And not let them use the Cpanel account info.

    My question is simple : How do I manage in WHM that the Cpanel username and password cannot be used for to setup a connection to the database in scripts.

    I hope someone have an idea or can help me with this.
  2. sparek-3

    sparek-3 Well-Known Member

    Aug 10, 2002
    Likes Received:
    Trophy Points:
    cPanel Access Level:
    Root Administrator
    This would be a very good idea. I'm not really sure if its possible, not without the developers making some changes to the CPanel code I don't think.

    The issue is, CPanel needs the CPanel Username/CPanel Password combination in MySQL, so that the user can create MySQL databases and manage their databases with phpMyAdmin in their control panel. You can't simply remove it, or you would break these features.

    The only way I would know to get around this, would be to have the backend of CPanel create a special MySQL user for accessing this part. For example, instead of phpMyAdmin using the Control Panel username to access the MySQL databases, create a special username like cp_username_mysql and use the account password. End user's would still be able to use cp_username_mysql in their scripts, but perhaps they would be less inclined to use this username.

    Ideally, end users would just recognize the security risk in accessing their MySQL database in their script this way. A vulnerability could exist somewhere on your server that would allow outside users to peer into your scripts. Ideally, you would want to prevent this or atleast limit this, but I just don't think its feasible to think that you can account for every possible script vulnerability. If a user is accessing their MySQL database through a script and a malicious user is somehow able to access this, then that malicious user would then have the information necessary to FTP into the account and upload spam/phishing content. If the end users would create a MySQL username AND use a different password than their main account for that MySQL user, then at most a malicious user might be able to deface a MySQL driven website on your account.

    Don't get me wrong, defacing a website is bad, but if I had to choose between a defaced website or unknowingly hosting a spamming script or phishing site, I would take the defacement.

    Like I said, I'm not entirely sure if this would be possible to fix. I'm not sure if my above suggestion would work or not. It would really need to be something that the CPanel developers look into. Others on this forum might be able to offer a better solution or offer more insight.

    I would encourage you to search Bugzilla and see if something such as this has already been suggested. I did a quick search and didn't see anything. If no listed is there, you should create an enhancement request at Bugzilla:

    Reference this thread in your Bugzilla entry and reply to this thread with the Bugzilla link so that users can vote for enhancement.

Share This Page