Reply
 
Thread Tools
Old 28-07-2004, 06:43 AM   #1   [permalink]
AchtungAffen
Forum Master
 
AchtungAffen's Avatar
 
Join Date: 4 Nov 2001
Location: Rei Liberation Parade
Posts: 3,977
Send a message via ICQ to AchtungAffen Send a message via MSN to AchtungAffen
My MySQL has a big hole, I'm a newb and need help!

I'm a total newb on SQL, but I installed mysql on my server so I could put a phpbb. It was hard to put a username and password already, not even knowing how, investigating all by myself.

But then, when I started modding phpbb, I had to install phpmyadmin, to do the database modifications. When I installed and first ran it, I got the following message:

Quote:
Your configuration file contains settings (root with no password) that correspond to the default MySQL privileged account. Your MySQL server is running with this default, is open to intrusion, and you really should fix this security hole.
I checked on privileges and deleted all non passworded ones. But I still get the message... what should I do? What harm can they do to my site with this hole?

Thx.
__________________
REI LIBERATION PARADE
Eva resources en español
AchtungAffen is offline   Reply With Quote
Old 31-07-2004, 01:05 AM   #2   [permalink]
Usagi^.^
Ex Moderator V.I.P.
 
Usagi^.^'s Avatar
 
Join Date: 4 Feb 2001
Location: Québec
Posts: 2,226
All right, I never got a domain of my own, but I'm gonna answer with the best of my ability...

You can access PHPmyAdmin from the net by a webpage address, right? Something like www.mydomain.com/phpmyadmin/. Well, if you can, everyone else can! I could go if I knew/guessed the URL. That means I could change your database, and even completely delete it!

Now, that means you need a username and password! Hehe, but there I can't really help you, I never installed PHPmyAdmin myself. But my employer had his PHPmyAdmin protected. When you'd go to www.whatever.com/phpmyadmin/ it would ask a username and password _managed by PHPmyAdmin itself_ (means its encrypted and safe) before you could access the info. It must be in the PHPmyAdmin documentation!

Good luck!
__________________
(\__/)
(='.'=)
(")_(")
Usagi^.^ is offline   Reply With Quote
Old 31-07-2004, 07:45 AM   #3   [permalink]
AchtungAffen
Forum Master
 
AchtungAffen's Avatar
 
Join Date: 4 Nov 2001
Location: Rei Liberation Parade
Posts: 3,977
Send a message via ICQ to AchtungAffen Send a message via MSN to AchtungAffen
I only put the phpmyadmin directory online when I use it, and I protect it with the basic password confirmation I can do with Apache (not the encrypted one wich is helluva harder to do). But I thought the error was for mysql, not for phpmyadmin!
__________________
REI LIBERATION PARADE
Eva resources en español
AchtungAffen is offline   Reply With Quote
Old 01-08-2004, 05:02 AM   #4   [permalink]
Keiichi
Executive Member
 
Keiichi's Avatar
 
Join Date: 19 Jul 2000
Location: At home...
Posts: 402
Did you edit phpmyadmin's configuration file?
__________________
K1
"Belldandy's drunk? But why now?!...No way...because of COLA?" :goof:
Keiichi is offline   Reply With Quote
Old 01-08-2004, 06:49 PM   #5   [permalink]
AchtungAffen
Forum Master
 
AchtungAffen's Avatar
 
Join Date: 4 Nov 2001
Location: Rei Liberation Parade
Posts: 3,977
Send a message via ICQ to AchtungAffen Send a message via MSN to AchtungAffen
Only the part where I had to put my server's url.
__________________
REI LIBERATION PARADE
Eva resources en español
AchtungAffen is offline   Reply With Quote
Old 02-08-2004, 03:17 AM   #6   [permalink]
Keiichi
Executive Member
 
Keiichi's Avatar
 
Join Date: 19 Jul 2000
Location: At home...
Posts: 402
You're suppose to provide your MySQL username and password also. You said you've installed MySQL on your server, correct? When you did that, you should at least have a password for your 'root' login. Unless you have added other user logins, use those.
__________________
K1
"Belldandy's drunk? But why now?!...No way...because of COLA?" :goof:
Keiichi is offline   Reply With Quote
Old 02-08-2004, 05:10 AM   #7   [permalink]
AchtungAffen
Forum Master
 
AchtungAffen's Avatar
 
Join Date: 4 Nov 2001
Location: Rei Liberation Parade
Posts: 3,977
Send a message via ICQ to AchtungAffen Send a message via MSN to AchtungAffen
I deleted all user privileges, and added one user with all privileges with password. But the message on phpmyadmin keeps appearing.
__________________
REI LIBERATION PARADE
Eva resources en español
AchtungAffen is offline   Reply With Quote
Old 04-08-2004, 11:44 PM   #8   [permalink]
Keiichi
Executive Member
 
Keiichi's Avatar
 
Join Date: 19 Jul 2000
Location: At home...
Posts: 402
Hmmm.... try posting some upper portion of that config file (make sure to show something else for your password, like *'s, and probably edit the paths too for display).
__________________
K1
"Belldandy's drunk? But why now?!...No way...because of COLA?" :goof:
Keiichi is offline   Reply With Quote
Old 09-08-2004, 05:27 AM   #9   [permalink]
AchtungAffen
Forum Master
 
AchtungAffen's Avatar
 
Join Date: 4 Nov 2001
Location: Rei Liberation Parade
Posts: 3,977
Send a message via ICQ to AchtungAffen Send a message via MSN to AchtungAffen
You mean something like this?

Quote:
$cfg['Servers'][$i]['controlpass'] = ''; // access to the "mysql/user"
// and "mysql/db" tables).
// The controluser is also
// used for all relational
// features (pmadb)
$cfg['Servers'][$i]['auth_type'] = 'config'; // Authentication method (config, http or cookie based)?
$cfg['Servers'][$i]['user'] = 'root'; // MySQL user
$cfg['Servers'][$i]['password'] = ''; // MySQL password (only needed
// with 'config' auth_type)
As you see, there are no passwords set all over the config file. Either way, phpmyadmin can enter mysql. Even though only one user with privileges exists in mysql, and it has a password.
__________________
REI LIBERATION PARADE
Eva resources en español
AchtungAffen is offline   Reply With Quote
Old 11-08-2004, 12:12 AM   #10   [permalink]
Keiichi
Executive Member
 
Keiichi's Avatar
 
Join Date: 19 Jul 2000
Location: At home...
Posts: 402
It's suppose to have a password in there.
$cfg['Servers'][$i]['password'] = '';

That's what the error is saying, that you don't have a password.
You said that it works without a password? Something's wrong with your mysql setup. It shouldn't be able to access any root data without a password.

What happens if you try to log in though command line?
> mysql -u root -p<password>
where <password> is your password (try it with it blank).
__________________
K1
"Belldandy's drunk? But why now?!...No way...because of COLA?" :goof:
Keiichi is offline   Reply With Quote
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


New To Site? Need Help?

All times are GMT -4. The time now is 02:44 AM.


Powered by vBulletin® Version 3.8.10
Copyright ©2000 - 2018, vBulletin Solutions, Inc.