The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Wow Another Major Bug!

Discussion in 'General Discussion' started by MN-Robert, Mar 9, 2003.

  1. MN-Robert

    MN-Robert Well-Known Member

    Joined:
    Feb 19, 2003
    Messages:
    203
    Likes Received:
    0
    Trophy Points:
    16
    A client has just found another major bug. Its been verified by us this has the potential to ruin alot of accounts (if you offer reseller accounts mostly) but it could affect virtualhosting also.

    Basically say you create a new username "billy" then at a later stage a reseller/you creates another account "billy-" .

    "billy-" has access to all of "billy" 's mysql data. Not sure about the other stuff however mysql is more than enough and users that our out with a vengence can wreck havoc on servers.

    Has anyone else seen this happen before?
     
  2. LS_Drew

    LS_Drew Well-Known Member

    Joined:
    Feb 20, 2003
    Messages:
    187
    Likes Received:
    0
    Trophy Points:
    16
    Testing it now here. It definately shows mysql data, but I can't get access to anything else.
     
  3. LS_Drew

    LS_Drew Well-Known Member

    Joined:
    Feb 20, 2003
    Messages:
    187
    Likes Received:
    0
    Trophy Points:
    16
    if you create an account to test it out, don't delete it! It'll take the orginal acconut holder's database with it when it is deleted.

    That's the most disturbing part of this...anyone can delete any database on the machine that they choose just by creating an account and deleting it.
     
  4. MN-Robert

    MN-Robert Well-Known Member

    Joined:
    Feb 19, 2003
    Messages:
    203
    Likes Received:
    0
    Trophy Points:
    16
    Thanks our user asked that question I didn't check it on a test account. This is quite disturbing.
     
  5. MN-Robert

    MN-Robert Well-Known Member

    Joined:
    Feb 19, 2003
    Messages:
    203
    Likes Received:
    0
    Trophy Points:
    16
    Maybe the next version address's this problem?
     
  6. trakwebster

    trakwebster Well-Known Member

    Joined:
    Jan 29, 2003
    Messages:
    145
    Likes Received:
    0
    Trophy Points:
    16
    Close the door - the burgler doesn't matter.

    Hi, thaphantom,

    Actually, the cpanel flaw here -- and one which should be modestly easy for them to fix -- is that on a given server, nobody should be able to create a new user with the same name as an existing user.

    The ability to have two same-name or functionally-same-name users has just got to lead to difficulties.

    And the simplest case of mistaken identity can cause damage. So it would seem that if 'billy' is on the server, then billy-, billyboy, and billygoat need to be blocked, if they are functionally the same anywhere.

    Or, as robocop says, 'There will be ... trouble.'

    -- Arthur Cronos from Voltos
     
  7. sitehostz

    sitehostz Well-Known Member

    Joined:
    Nov 30, 2002
    Messages:
    66
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Delaware
    Reply:

    Not sure why this would happen either. Cpanel shouldn't let databases be deleted since billy and billy- should both have seperate passwords. This would seem to be a cpanel issue to me.

    I know in the past that uses can upload phpmyadmin and set the login as root and is then able to view all databases on the server. You can also look at most of the contents in the db's if you really know your way around but you can't modify anything without the password though so this should be the same no matter what username you are using.

    My thoughts anyway.
    Chris
     
    #7 sitehostz, Mar 10, 2003
    Last edited: Mar 10, 2003
  8. hostdog

    hostdog Registered

    Joined:
    Feb 6, 2003
    Messages:
    4
    Likes Received:
    0
    Trophy Points:
    1
    Wow another one.

    Thanks for the heads up
     
  9. fgauthier

    fgauthier Member
    PartnerNOC

    Joined:
    Feb 22, 2003
    Messages:
    16
    Likes Received:
    0
    Trophy Points:
    1
    I knew this issue for a while already, it's on since the beginning.
    mysql username or database creation ignores the - char and thus, that creates a problem.
     
  10. rochen

    rochen Active Member
    PartnerNOC

    Joined:
    Mar 5, 2002
    Messages:
    33
    Likes Received:
    0
    Trophy Points:
    6
    I was just thinking about this bug some more. What would happen if someone made a user called "root-" ?
     
  11. Brad

    Brad Well-Known Member

    Joined:
    Aug 16, 2001
    Messages:
    231
    Likes Received:
    0
    Trophy Points:
    16
    Did someone already submit this bug?
     
  12. cPanelNick

    cPanelNick Administrator
    Staff Member

    Joined:
    Mar 9, 2015
    Messages:
    3,426
    Likes Received:
    2
    Trophy Points:
    38
    cPanel Access Level:
    DataCenter Provider
    mysql doesn't allow -s in db names. The flip side of this is that the only way to fix it is to disable -s in usernames.
     
  13. visiondream3

    visiondream3 Active Member

    Joined:
    Mar 3, 2003
    Messages:
    31
    Likes Received:
    0
    Trophy Points:
    6
    phpmyadmin error

    Warning: Failed opening './libraries/auth/http.auth.lib.php' for inclusion (include_path='/usr/local/cpanel/3rdparty/lib/php/') in /usr/local/cpanel/base/3rdparty/phpMyAdmin/libraries/common.lib.php on line 569

    Fatal error: Call to undefined function: pma_auth_check() in /usr/local/cpanel/base/3rdparty/phpMyAdmin/libraries/common.lib.php on line 570

    anyone heard of this error?
    , when you click on the phpmyadmin button.
    I have a serverside problem. phpmyadmin doesnt work.

    can anyone please help !!!
     
  14. tdkoll

    tdkoll Registered

    Joined:
    Feb 4, 2003
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    visiondream.. i have fixed the issue. The permissions and the ownerships of the files in the folder /usr/local/cpanel/base/3rdparty/phpMyAdmin
    were wrong. The ownership should be
    cpanel.cpanel and the permissions should be 700
    That did the trick. :)
     
  15. cPanelNick

    cPanelNick Administrator
    Staff Member

    Joined:
    Mar 9, 2015
    Messages:
    3,426
    Likes Received:
    2
    Trophy Points:
    38
    cPanel Access Level:
    DataCenter Provider
    ok
    6.2.0 builds don't allow you to add a user with a - in them if there is a username that would be the same as the user without the - in it.
     
Loading...

Share This Page