The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

phpmyadmin and sess files problem - unencrypted password

Discussion in 'Database Discussions' started by zalutao, Feb 24, 2008.

  1. zalutao

    zalutao Member

    Joined:
    Apr 27, 2006
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    Hi i have problem with these files, it seems that phpmyadmin leaves unencrypted user password in sess_ files in /tmp. For example if i log in cpanel and go in phpmyadmin and don't go on Log out in phpmyadmin it leaves unencrypted password in sess file. This is part from sess file:
    <zalutao> s:11:"controlpass";s:0:"";s:9:"auth_type";s:4:"http";s:4:"user";s:7:"XXXX";s:8:"password";s:12:"XXXXX";
     
  2. Silver_2000

    Silver_2000 Well-Known Member

    Joined:
    Mar 31, 2002
    Messages:
    338
    Likes Received:
    1
    Trophy Points:
    18
    It seems that if you dont logout a sess file is left in tmp that has the mysql password in it unencrypted
    they are all ~17k files
    if you logout in phpmyadmin the sess file is removed but if you close the browser the file is left behind

    One thing you can do to limit the exposure is not use the same password for the server and for mysql

    I hope that cpanel can help lower the risk of this issue
     
  3. zalutao

    zalutao Member

    Joined:
    Apr 27, 2006
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    @Silver_2000

    If you go on phpmyadmin in whm (you are loged in as root) it leaves sess file with root pass...
     
  4. Silver_2000

    Silver_2000 Well-Known Member

    Joined:
    Mar 31, 2002
    Messages:
    338
    Likes Received:
    1
    Trophy Points:
    18
    No it doesnt
    I login to WHM as root

    My root password and my mysql password are different
    IN looking at the session files in text editor my server root password is NOT in the file BUT The Mysql "root" password is
     
  5. cPanelKenneth

    cPanelKenneth cPanel Development
    Staff Member

    Joined:
    Apr 7, 2006
    Messages:
    4,461
    Likes Received:
    22
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    Are you (anyone with this issue) using the internal cPanel PHP binary or the system one?
     
  6. Silver_2000

    Silver_2000 Well-Known Member

    Joined:
    Mar 31, 2002
    Messages:
    338
    Likes Received:
    1
    Trophy Points:
    18
    I havent made any changes

    How would I check ?
     
  7. cPanelKenneth

    cPanelKenneth cPanel Development
    Staff Member

    Joined:
    Apr 7, 2006
    Messages:
    4,461
    Likes Received:
    22
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    Then you are using the internal binary.

    I'm reporting this issue to the developers. Thank you.
     
  8. zalutao

    zalutao Member

    Joined:
    Apr 27, 2006
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    @cpanelkenneth
    Using cpanel binary, done all updates with easyapache...

    @Silver_2000, that is not my point, i can change mysql root pass, but even that leave unencrypted pass in sess files only this time mysql root pass that is very hazard. Also now i would need to change mysql pass for every single user on server to make that "only" mysql is vulnerable? That is just not solution for this problem.
     
  9. OMP

    OMP Member

    Joined:
    May 14, 2004
    Messages:
    14
    Likes Received:
    0
    Trophy Points:
    1
    Mine has been doing this for a while now. Figured it was due to some mods I had done, I guess I'm not the only one then.
     
Loading...

Share This Page