The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Major Security issue with phpMyAdmin

Discussion in 'Security' started by PPNSteve, Feb 22, 2004.

  1. PPNSteve

    PPNSteve Well-Known Member

    Joined:
    Mar 13, 2003
    Messages:
    393
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Somewhere in Ilex Forest
    cPanel Access Level:
    Root Administrator
    Twitter:
    Help!! There seems to be some major issue in phpmyadmin. When a user (in control panel) logs in, they can see ALL the databases on the server.

    This only started happening since we upgraded to the 8.8 r37 release.

    Any solutions / help avail?
     

    Attached Files:

  2. SuperBaby

    SuperBaby Well-Known Member

    Joined:
    Nov 27, 2003
    Messages:
    331
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Thailand
    cPanel Access Level:
    Website Owner
    Twitter:
    No. The customer can only see his own database. You will see all only if you access phpMyAdmin from the WHM as the root.
     
  3. PPNSteve

    PPNSteve Well-Known Member

    Joined:
    Mar 13, 2003
    Messages:
    393
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Somewhere in Ilex Forest
    cPanel Access Level:
    Root Administrator
    Twitter:
    Take a look at the screenshot I attached.. it is from a users controlpanel access to phpmyadmin and lists ALL the databases on the server. (I logged in as the user, with his username/pass)
     
  4. SuperBaby

    SuperBaby Well-Known Member

    Joined:
    Nov 27, 2003
    Messages:
    331
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Thailand
    cPanel Access Level:
    Website Owner
    Twitter:
    I tested mine and saw no such problem.

    WHM 8.8.0 cPanel 8.8.0-S74
    RedHat 9 - WHM X v2.1.2
     
  5. HostDime

    HostDime Well-Known Member
    PartnerNOC

    Joined:
    Mar 15, 2003
    Messages:
    81
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Orlando, Florida
    try

    /scripts/fixcommonproblems;/scripts/fixeverything;/scripts/sysup;/scripts/upcp

    :eek:
     
  6. PPNSteve

    PPNSteve Well-Known Member

    Joined:
    Mar 13, 2003
    Messages:
    393
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Somewhere in Ilex Forest
    cPanel Access Level:
    Root Administrator
    Twitter:
    well anyone else have an idea, solution??
     
  7. HostDime

    HostDime Well-Known Member
    PartnerNOC

    Joined:
    Mar 15, 2003
    Messages:
    81
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Orlando, Florida
  8. PPNSteve

    PPNSteve Well-Known Member

    Joined:
    Mar 13, 2003
    Messages:
    393
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Somewhere in Ilex Forest
    cPanel Access Level:
    Root Administrator
    Twitter:
    ok i'll try those fix scripts, and updaters,.. but I ran the /scripts/fixeverything the day before yesterday to resolve another (quotas not showing) issue.
     
  9. HostDime

    HostDime Well-Known Member
    PartnerNOC

    Joined:
    Mar 15, 2003
    Messages:
    81
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Orlando, Florida
    Do it up... If you need any help, I can help you out, aim are. ;)
     
  10. PPNSteve

    PPNSteve Well-Known Member

    Joined:
    Mar 13, 2003
    Messages:
    393
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Somewhere in Ilex Forest
    cPanel Access Level:
    Root Administrator
    Twitter:
    Ok those scripts didn't work..

    We've now upgraded to:
    WHM 8.9.0 cPanel 8.9.0-R33
    RedHat 7.3 - WHM X v2.1.2

    and are still getting this error, a trouble tick has been opened with cPanel.. once i have the ticket number i'll updtae this thread with it.
     
  11. PPNSteve

    PPNSteve Well-Known Member

    Joined:
    Mar 13, 2003
    Messages:
    393
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Somewhere in Ilex Forest
    cPanel Access Level:
    Root Administrator
    Twitter:
    ok ticket number posted (40308)

    cPanel.net Support Ticket Number: 40308
     
  12. HostDime

    HostDime Well-Known Member
    PartnerNOC

    Joined:
    Mar 15, 2003
    Messages:
    81
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Orlando, Florida
    Couldnt investigate more becuase user didnt want to give me access :p :eek: :p :eek: :D ;)
     
  13. hostit1

    hostit1 Well-Known Member

    Joined:
    Jul 24, 2003
    Messages:
    88
    Likes Received:
    0
    Trophy Points:
    0
    I am having the same exact problem. I even downgraded to the cpanel current release. It clearly is a mysql database permission. Users should not have the ability to browse or execute sql statements in databases not owned by them. I am sure a quick sql statement would fix the problem . . . but I don't like messing around with this on a production machine.

    Does anyone have any insight as to what exactly is causing this. I have been able to duplicate this problem on 2 separate servers. One running fendora and the other RH 9.

    Tim Rice
    Host It Now Networks
     
  14. HostIt

    HostIt Well-Known Member

    Joined:
    Feb 22, 2003
    Messages:
    151
    Likes Received:
    1
    Trophy Points:
    18
    Can they actually execute statements & read records etc in other DBs, or simply see them all listed? There is quite a difference. An install of phpMyAdmin can be set to allow all databases to be seen - that's not such a big issue. However, if the permissions actually allow changes to be made, that's a whole different kettle of fish ;)
     
  15. PPNSteve

    PPNSteve Well-Known Member

    Joined:
    Mar 13, 2003
    Messages:
    393
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Somewhere in Ilex Forest
    cPanel Access Level:
    Root Administrator
    Twitter:
    In my case they could access, edit, add, etc them.. big, boiling kettle-o-fish!
    It has since been corrected by Nick at cPanel. i'll add more details as to what the problem was and the fix as soon as i have that info.
     
  16. hostit1

    hostit1 Well-Known Member

    Joined:
    Jul 24, 2003
    Messages:
    88
    Likes Received:
    0
    Trophy Points:
    0
    Ahhh . . . that's really bad. I don't have that problem.
     
  17. PPNSteve

    PPNSteve Well-Known Member

    Joined:
    Mar 13, 2003
    Messages:
    393
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Somewhere in Ilex Forest
    cPanel Access Level:
    Root Administrator
    Twitter:
    OK this is getting pretty bad... cPanel did it's normal update, to 8.9.0-CURRENT 61 and once again phpMyAmin lets users see ALL the databases on the server.

    Now nick and darren both worked on this issue over the last few days, and it WAS fixed as of 2/25/2004.

    There has to be some bug in the latest releases or something.

    Hope someone can help, again.
     
  18. fwn_brian

    fwn_brian Registered

    Joined:
    Mar 18, 2004
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    I'm having the same problem, except for in my case they get an access denied error when they try to add fields/tables/etc, and they can not see a list of the tables in the database, the database is listed as database (-) (meaning an empty database.

    Still, obviously I would like to fix this problem, not because I see it as a security risk, it's still secure, however it's sloppy because I don't want my users seeing all of the databases on our server.
     
  19. PPNSteve

    PPNSteve Well-Known Member

    Joined:
    Mar 13, 2003
    Messages:
    393
    Likes Received:
    1
    Trophy Points:
    18
    Location:
    Somewhere in Ilex Forest
    cPanel Access Level:
    Root Administrator
    Twitter:
    Another problem i recently noticed, if u do a db dump from phpMyAdmin on a databse you do access to, you get an list of 'create database' in your dumps with ALL the databases listed.. (both before your 'dump data' and after it)

    this can only cause problems if you're relying on that dump as a backup or to move to another server.. (found out the hard way :( )
     
  20. jeroman8

    jeroman8 Well-Known Member

    Joined:
    Mar 14, 2003
    Messages:
    410
    Likes Received:
    0
    Trophy Points:
    16
    Any update on this ?

    I have user saying the same thing but I can't duplicate the issue!

    Regards Jerry
     
Loading...

Share This Page