The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

phpmyadmin bug?

Discussion in 'Database Discussions' started by Kikkorm, May 18, 2006.

  1. Kikkorm

    Kikkorm Member

    Joined:
    May 18, 2006
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    Hi, i've a cpanel server with several domains. I'm not an hosting reseller, i use my websites for me.
    Yesterday i created an ftp access to the public_html of ONE my websites to a friend of mine. He's a newbie more than me.
    While he was trying to install a content manager, he installed a copy of phpmyadmin into the public_html directory of this website
    Here is the bug... just opening the website at the phpmyadmin directory (www.site.com/phpmyadmin), EVERYBODY could be able to delete any table and database of my ENTIRE SERVER EVERY DOMAIN WAS AFFECTED!!!!!! I tryied by myself ; from that phpmyadmin ,as a normal anonymous user, i was able to delete database entries of another website.
    Is there a way to fix this kind of bug?
    I think to people reselling their space : with such bug, everybody could destroy everything.
    thanks for helping, sorry for my rusty english
     
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,468
    Likes Received:
    196
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Password protect it, or use phpMyAdmin from within cPanel.
     
  3. mctDarren

    mctDarren Well-Known Member

    Joined:
    Jan 6, 2004
    Messages:
    664
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    New Jersey
    cPanel Access Level:
    Root Administrator
    Sounds to me like phpmyadmin was connecting to mysql as root or with root password. Or perhaps the reseller has root privs? If you connect with mysql root, you'll see everything.
     
  4. Kikkorm

    Kikkorm Member

    Joined:
    May 18, 2006
    Messages:
    5
    Likes Received:
    0
    Trophy Points:
    1
    Problem is a little different :
    every user, without any logging could see every database and delete it, even if it was protected by password.
    This is an example situation of what could happen:
    Mr.A owns a server, he sell 10 hosting plan to people ; his server has 10 indipendent domains :
    if just one of those ten people install in his public html php my admin, he'll be able to delete every database in the entire server, even if protected by password.
    How can i fix this?
    thanks :)
     
  5. mctDarren

    mctDarren Well-Known Member

    Joined:
    Jan 6, 2004
    Messages:
    664
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    New Jersey
    cPanel Access Level:
    Root Administrator
    Did you try running /scripts/securemysql? This isn't a bug with phpmyadmin, it's a configuration problem.
     
Loading...

Share This Page