Subject:*
<
Name/Email:*
<
Message Icon:*
<
Select*
<
Message:*
<



Click the Preview to see the content in action.
Options:*
<
Confirmation Code*
<
8 + 9 = ?  
Input the result from the expression
Maximum attempts you can try: 10
*
<
     

Re: Possible PHPMyAdmin risk
by intel352 on 2003/12/1 10:24:15

heh, sry, i accidentally clicked on the link while trying to copy the end part

i tried it on one of my XOOPS sites (without the phpsessid), it only worked when i was still logged in as the admin, but i tried again after having logged out (still without the phpsessid), it *didn't* work


so i'm betting the hole is fixed or never existed, unless someone gets your phpsessid (which would suggest they could do the same to any other admin module in your site)
Re: Possible PHPMyAdmin risk
by supernix on 2003/5/29 4:21:39

Definately a good idea. Had I thought about that I would not had reason for posting this thread. I think everyone should use your suggested security measure that use the 4mps phpmyadmin 240-rc1 module.

I posted that I had removed the module but you would be suprised how many people still tried to use that URL. I am curious if anyone else ran that similar URL on their domain using the same module?


Steve,
http://www.dnspad.com/
Re: Possible PHPMyAdmin risk
by tom on 2003/5/29 3:21:11

I asked a simerlar question, about the security, but don't seem to remember getting a reply, but then I posted straight mentioned to cut the risk you could, and I would any way, protect the directory with .htaccess, then you run no risk of direct access to your database through PHPmyadmin.

The only downside to this, is you gotta log in twice, once admin, then second to phpmyadmin.

I thought it might be worth mentioning the .htaccess thing.
Re: Possible PHPMyAdmin risk
by supernix on 2003/5/29 3:08:11

That is pretty much what I did.
I was not exactly sure if that was definately
a security breach. But it sure looked like one when I followed that url to the backend of the database.
Re: Possible PHPMyAdmin risk
by ronhab on 2003/5/28 16:20:21

Maybe I am paranoid, but this is what I would do.

Backup your database & your site.

Then I suggest you create a new admin/webmaster account with
a different password and delete the old admin account.

Backup the database a second time.

Then I would also change the MySQL username and password and
alter my XOOPS install to use the new combination. (You
cold even clone the database over into one with a new name
as well). I believe the database connection information is
stored in mainfile.php, but it may be somewhere else too,
perhaps one of the developers can give more info on this.

Last, make sure your session time isn't set for very long
and make sure you choose logout each time so that the
webmaster session is terminated and not left open.

If something goes wrong, you have a backup of your site and
two of your database to revert to.

Who's Online

176 user(s) are online (135 user(s) are browsing Support Forums)


Members: 0


Guests: 176


more...

Donat-O-Meter

Stats
Goal: $15.00
Due Date: Jul 31
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $15.00
Make donations with PayPal!

Latest GitHub Commits