1
supernix
Possible PHPMyAdmin risk
  • 2003/5/28 9:41

  • supernix

  • Not too shy to talk

  • Posts: 151

  • Since: 2003/3/13


This morning going over the logs I found this
Host: 203.217.41.124 Url: /modules/phpmyadmin/admin/sql.php?lang=en-iso-8859-1&server=1&db=supernix_xoops&table=xoops_config&goto=tbl_properties.php&back=tbl_properties.php&sql_query=SELECT+%2A+FROM+%60xoops_config%60&pos=0&PHPSESSID=aed13a2e3e593f9d7c893a483bf3481e Http Code : 200
Date: May 28 03:15:17 Http Version: HTTP/1.1 Size in Bytes: 244435
Referer:http://www.dnspad.com/modules/phpmyadmin/admin/sql.php?lang=en-iso-8859-1&server=1&db=supernix_xoops&table=xoops_config&goto=tbl_properties_structure.php&back=tbl_properties_structure.php&sql_query=SELECT+%2A+FROM+%60xoops_config%60&pos=0&PHPSESSID=aed13a2e3e593f9d7c893a483bf3481e Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; YComp 5.0.0.0; .NET CLR 1.0.3705)

and when I went to that URL it showed the PHPMyadmin and the table with options to manipulate the tables and such.


And shortly before that I found this :
Host: 210.50.219.22 Url: /modules/phpmyadmin/admin/index.php Http Code : 200
Date: May 28 03:13:41 Http Version: HTTP/1.1 Size in Bytes: 642
Referer: - Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)

So I dont know if it is a problem with XOOPS or the PHPMyadmin module or Xoops

I have taken the PHPMyadmin module completely off the server to avoid any further cause for concern. But it sorta looks like to me that someone found a way to use the PHPMyadmin module to get access to the database.

Steve,
http://www.dnspad.com/

2
Stewdio
Re: Possible PHPMyAdmin risk
  • 2003/5/28 14:09

  • Stewdio

  • Community Support Member

  • Posts: 1560

  • Since: 2003/5/7 1


*punt to the top*

I've never used the module, or any module that access's the DB in this manner so I can't offer any feedback, but I'm curious if anyone else has noticed this.

Looks pretty scary to me, glad you dropped the mod right away.

3
Jan304
Re: Possible PHPMyAdmin risk
  • 2003/5/28 14:10

  • Jan304

  • Official Support Member

  • Posts: 520

  • Since: 2002/3/31


Weird, you shure isn't your own ip?

I tested on a site that has phpmyadmin installed (your link wasn't working anymore since you removed the module) and there I get a none-permission error...

4
supernix
Re: Possible PHPMyAdmin risk
  • 2003/5/28 14:18

  • supernix

  • Not too shy to talk

  • Posts: 151

  • Since: 2003/3/13


Completely sure it was not my IP.

5
Stewdio
Re: Possible PHPMyAdmin risk
  • 2003/5/28 14:27

  • Stewdio

  • Community Support Member

  • Posts: 1560

  • Since: 2003/5/7 1


It's definately not his IP. The link in the post listed as the referer goes to his IP and is routed through congentco.com, the backbone of his provider.

203.217.41.124 is routed through Australia
Tracing route to m041-124.nv.iinet.net.au [203.217.41.124]
over a maximum of 30 hops:

  
1    25 ms    28 ms    29 ms  tlgw5.ym.phub.net.cable.rogers.com [24.42.186.1]

  
2    27 ms    29 ms    29 ms  10.1.67.129
  3    24 ms    26 ms    29 ms  gw01
-vlan966.ym.phub.net.cable.rogers.com [66.18
5.93.21
]
  
4    26 ms    29 ms    29 ms  gw02.ym.phub.net.cable.rogers.com [66.185.80.210
]
  
5    29 ms    36 ms    29 ms  gw01.bloor.phub.net.cable.rogers.com [66.185.80.
226]
  
6    26 ms    29 ms    35 ms  gw02.bloor.phub.net.cable.rogers.com [66.185.80.
246]
  
7    48 ms    47 ms    47 ms  if-10-0.core1.Chicago3.teleglobe.net [216.6.16.2
9
]
  
8    45 ms    49 ms    50 ms  if-7-0.core2.Chicago3.Teleglobe.net [207.45.220.
46]
  
9    46 ms    47 ms    47 ms  if-2-0.core3.NewYork.Teleglobe.net [64.86.83.218
]
 
10    48 ms    50 ms    50 ms  if-5-0.core2.Newark.Teleglobe.net [64.86.83.166]

 
11    65 ms    53 ms    59 ms  if-9-0.core1.Ashburn.Teleglobe.net [64.86.83.214
]
 
12    56 ms    59 ms    59 ms  208.51.74.13
 13    57 ms    65 ms    59 ms  pos6
-0-2488M.cr2.WDC2.gblx.net [64.215.195.38]
 
14   120 ms   118 ms   119 ms  pos0-0-2488M.cr1.SNA1.gblx.net [64.212.107.170]

 
15   282 ms   281 ms   281 ms  so1-0-0-155M.ar1.SYD1.gblx.net [203.192.136.9]
 
16  1028 ms  1050 ms  1090 ms  IINET-MELB.ar1.SYD1.gblx.net [203.192.166.206]
 
17  1166 ms  1216 ms  1099 ms  IINET-Mel-203.192.166.190.gblx.net [203.192.166.
190]
 
18  1099 ms  1118 ms  1069 ms  m041-124.nv.iinet.net.au [203.217.41.124]

Trace complete.

6
ronhab
Re: Possible PHPMyAdmin risk
  • 2003/5/28 16:20

  • ronhab

  • Friend of XOOPS

  • Posts: 160

  • Since: 2003/4/27


Maybe I am paranoid, but this is what I would do.

Backup your database & your site.

Then I suggest you create a new admin/webmaster account with
a different password and delete the old admin account.

Backup the database a second time.

Then I would also change the MySQL username and password and
alter my XOOPS install to use the new combination. (You
cold even clone the database over into one with a new name
as well). I believe the database connection information is
stored in mainfile.php, but it may be somewhere else too,
perhaps one of the developers can give more info on this.

Last, make sure your session time isn't set for very long
and make sure you choose logout each time so that the
webmaster session is terminated and not left open.

If something goes wrong, you have a backup of your site and
two of your database to revert to.


7
supernix
Re: Possible PHPMyAdmin risk
  • 2003/5/29 3:08

  • supernix

  • Not too shy to talk

  • Posts: 151

  • Since: 2003/3/13


That is pretty much what I did.
I was not exactly sure if that was definately
a security breach. But it sure looked like one when I followed that url to the backend of the database.

8
tom
Re: Possible PHPMyAdmin risk
  • 2003/5/29 3:21

  • tom

  • Friend of XOOPS

  • Posts: 1359

  • Since: 2002/9/21


I asked a simerlar question, about the security, but don't seem to remember getting a reply, but then I posted straight mentioned to cut the risk you could, and I would any way, protect the directory with .htaccess, then you run no risk of direct access to your database through PHPmyadmin.

The only downside to this, is you gotta log in twice, once admin, then second to phpmyadmin.

I thought it might be worth mentioning the .htaccess thing.

9
supernix
Re: Possible PHPMyAdmin risk
  • 2003/5/29 4:21

  • supernix

  • Not too shy to talk

  • Posts: 151

  • Since: 2003/3/13


Definately a good idea. Had I thought about that I would not had reason for posting this thread. I think everyone should use your suggested security measure that use the 4mps phpmyadmin 240-rc1 module.

I posted that I had removed the module but you would be suprised how many people still tried to use that URL. I am curious if anyone else ran that similar URL on their domain using the same module?


Steve,
http://www.dnspad.com/

10
intel352
Re: Possible PHPMyAdmin risk
  • 2003/12/1 10:24

  • intel352

  • Module Developer

  • Posts: 824

  • Since: 2003/11/23


heh, sry, i accidentally clicked on the link while trying to copy the end part

i tried it on one of my XOOPS sites (without the phpsessid), it only worked when i was still logged in as the admin, but i tried again after having logged out (still without the phpsessid), it *didn't* work


so i'm betting the hole is fixed or never existed, unless someone gets your phpsessid (which would suggest they could do the same to any other admin module in your site)

Login

Who's Online

238 user(s) are online (144 user(s) are browsing Support Forums)


Members: 0


Guests: 238


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Mar 31
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits