Wow Another Major Bug!

[MN-Robert]

A client has just found another major bug. Its been verified by us this has the potential to ruin alot of accounts (if you offer reseller accounts mostly) but it could affect virtualhosting also.

Basically say you create a new username "billy" then at a later stage a reseller/you creates another account "billy-" .

"billy-" has access to all of "billy" 's mysql data. Not sure about the other stuff however mysql is more than enough and users that our out with a vengence can wreck havoc on servers.

Has anyone else seen this happen before?

 

[LS_Drew]

Testing it now here. It definately shows mysql data, but I can't get access to anything else.

 

[LS_Drew]

if you create an account to test it out, don't delete it! It'll take the orginal acconut holder's database with it when it is deleted.

That's the most disturbing part of this...anyone can delete any database on the machine that they choose just by creating an account and deleting it.

 

[MN-Robert]

Thanks our user asked that question I didn't check it on a test account. This is quite disturbing.

 

[MN-Robert]

Maybe the next version address's this problem?

 

[trakwebster]

Close the door - the burgler doesn't matter.

Originally posted by thaphantom
submit a bug report... dont know how much can be done about this as it appears to be a mysql problem...

Hi, thaphantom,

Actually, the cpanel flaw here -- and one which should be modestly easy for them to fix -- is that on a given server, nobody should be able to create a new user with the same name as an existing user.

The ability to have two same-name or functionally-same-name users has just got to lead to difficulties.

And the simplest case of mistaken identity can cause damage. So it would seem that if 'billy' is on the server, then billy-, billyboy, and billygoat need to be blocked, if they are functionally the same anywhere.

Or, as robocop says, 'There will be ... trouble.'

-- Arthur Cronos from Voltos

 

[sitehostz]

Reply:

Not sure why this would happen either. Cpanel shouldn't let databases be deleted since billy and billy- should both have seperate passwords. This would seem to be a cpanel issue to me.

I know in the past that uses can upload phpmyadmin and set the login as root and is then able to view all databases on the server. You can also look at most of the contents in the db's if you really know your way around but you can't modify anything without the password though so this should be the same no matter what username you are using.

My thoughts anyway.
Chris

 

[hostdog]

Wow another one.

Thanks for the heads up

 

[fgauthier]

I knew this issue for a while already, it's on since the beginning.
mysql username or database creation ignores the - char and thus, that creates a problem.

 

[rochen]

I was just thinking about this bug some more. What would happen if someone made a user called "root-" ?

 

[Brad]

Did someone already submit this bug?

 

[cPanelNick]

mysql doesn't allow -s in db names. The flip side of this is that the only way to fix it is to disable -s in usernames.

 

[visiondream3]

phpmyadmin error

Warning: Failed opening './libraries/auth/http.auth.lib.php' for inclusion (include_path='/usr/local/cpanel/3rdparty/lib/php/') in /usr/local/cpanel/base/3rdparty/phpMyAdmin/libraries/common.lib.php on line 569

Fatal error: Call to undefined function: pma_auth_check() in /usr/local/cpanel/base/3rdparty/phpMyAdmin/libraries/common.lib.php on line 570

anyone heard of this error?
, when you click on the phpmyadmin button.
I have a serverside problem. phpmyadmin doesnt work.

can anyone please help !!!

 

[tdkoll]

visiondream.. i have fixed the issue. The permissions and the ownerships of the files in the folder /usr/local/cpanel/base/3rdparty/phpMyAdmin
were wrong. The ownership should be
cpanel.cpanel and the permissions should be 700
That did the trick.

 

[cPanelNick]

ok
6.2.0 builds don't allow you to add a user with a - in them if there is a username that would be the same as the user without the - in it.