| 2008-10-10 13:47:59 |
Manatsawin Hanmongkolchai |
bug |
|
|
added bug |
| 2008-10-10 13:48:40 |
Manatsawin Hanmongkolchai |
bug |
|
|
assigned to phpmyadmin |
| 2008-10-10 13:51:27 |
Manatsawin Hanmongkolchai |
description |
Binary package hint: phpmyadmin
The mysql project, as stated in http://dev.mysql.com/doc/refman/5.0/en/default-privileges.html
Two anonymous-user accounts are created, each with an empty username. The anonymous accounts have no password, so anyone can use them to connect to the MySQL server.
On Unix, both anonymous accounts are for connections from the local host. Connections must be made from the local host by specifying a hostname of localhost for one of the accounts, or the actual hostname or IP number for the other. These accounts have all privileges for the test database and for other databases with names that start with test_.
So, the mysql-server is secure, because it accept anonymous account login from localhost only but phpmyadmin is acting as proxy to mysql server so anyone can access the test database.
At least, I have found many real world servers running phpmyadmin at /phpmyadmin and I can access the account. A person from #ubuntu-th also can access the test database, which the host(also on #ubuntu-th) had installed Simple Machines Forum into and he can export smf_user from it.
Suggestions:
1. Remove the anonymous account when phpmyadmin is installed, and show notice message to the user. (preferred in the same way as "Please restart any running Firefoxes" message as it isn't blocking dpkg)
2. Disable this account login via phpmyadmin. |
Binary package hint: phpmyadmin
The mysql project, as stated in http://dev.mysql.com/doc/refman/5.0/en/default-privileges.html
Two anonymous-user accounts are created, each with an empty username. The anonymous accounts have no password, so anyone can use them to connect to the MySQL server.
On Unix, both anonymous accounts are for connections from the local host. Connections must be made from the local host by specifying a hostname of localhost for one of the accounts, or the actual hostname or IP number for the other. These accounts have all privileges for the test database and for other databases with names that start with test_.
So, the mysql-server is secure, because it accept anonymous account login from localhost only but phpmyadmin is acting as proxy to mysql server so anyone can access the test database.
At least, I have found many real world servers running phpmyadmin at /phpmyadmin and I can access the account. A person from #ubuntu-th also can access the test database, which the host(also on #ubuntu-th) had installed Simple Machines Forum into and he can export smf_user from it.
Suggestions:
1. Remove the anonymous account when phpmyadmin is installed, and show notice message to the user. (preferred in the same way as "Please restart any running Firefoxes" message as it isn't blocking dpkg)
2. Disable this account login via phpmyadmin.
3. Inform user when install phpmyadmin of this bug.
I don't think this bug should fix in mysql because the localhost restriction is just fine. |
|
| 2008-10-10 13:55:16 |
Manatsawin Hanmongkolchai |
description |
Binary package hint: phpmyadmin
The mysql project, as stated in http://dev.mysql.com/doc/refman/5.0/en/default-privileges.html
Two anonymous-user accounts are created, each with an empty username. The anonymous accounts have no password, so anyone can use them to connect to the MySQL server.
On Unix, both anonymous accounts are for connections from the local host. Connections must be made from the local host by specifying a hostname of localhost for one of the accounts, or the actual hostname or IP number for the other. These accounts have all privileges for the test database and for other databases with names that start with test_.
So, the mysql-server is secure, because it accept anonymous account login from localhost only but phpmyadmin is acting as proxy to mysql server so anyone can access the test database.
At least, I have found many real world servers running phpmyadmin at /phpmyadmin and I can access the account. A person from #ubuntu-th also can access the test database, which the host(also on #ubuntu-th) had installed Simple Machines Forum into and he can export smf_user from it.
Suggestions:
1. Remove the anonymous account when phpmyadmin is installed, and show notice message to the user. (preferred in the same way as "Please restart any running Firefoxes" message as it isn't blocking dpkg)
2. Disable this account login via phpmyadmin.
3. Inform user when install phpmyadmin of this bug.
I don't think this bug should fix in mysql because the localhost restriction is just fine. |
Binary package hint: phpmyadmin
The mysql project, as stated in http://dev.mysql.com/doc/refman/5.0/en/default-privileges.html
Two anonymous-user accounts are created, each with an empty username. The anonymous accounts have no password, so anyone can use them to connect to the MySQL server.
On Unix, both anonymous accounts are for connections from the local host. Connections must be made from the local host by specifying a hostname of localhost for one of the accounts, or the actual hostname or IP number for the other. These accounts have all privileges for the test database and for other databases with names that start with test_.
So, the mysql-server is secure, because it accept anonymous account login from localhost only but phpmyadmin is acting as proxy to mysql server so anyone can access the test database.
At least, I have found many real world servers running phpmyadmin at /phpmyadmin and I can access the account. A person from #ubuntu-th also can access the test database, which the host(also on #ubuntu-th) had installed Simple Machines Forum into and he can export smf_user from it.
Steps to reproduce:
1. Go to any phpmyadmin instance.
2. Type anything (but not existing user) into the username.
3. Login (don't enter anything as password)
Suggestions:
1. Remove the anonymous account when phpmyadmin is installed, and show notice message to the user. (preferred in the same way as "Please restart any running Firefoxes" message as it isn't blocking dpkg)
2. Disable this account login via phpmyadmin.
3. Inform user when install phpmyadmin of this bug.
I don't think this bug should fix in mysql because the localhost restriction is just fine. |
|
| 2009-02-03 18:35:39 |
papukaija |
phpmyadmin: status |
New |
Confirmed |
|
| 2009-02-03 18:35:39 |
papukaija |
phpmyadmin: statusexplanation |
|
Same here on Intrepid. |
|
| 2009-05-05 18:56:19 |
papukaija |
phpmyadmin (Ubuntu): status |
Confirmed |
Fix Released |
|
| 2010-03-17 13:01:17 |
papukaija |
phpmyadmin: status |
New |
Incomplete |
|
| 2010-03-23 16:53:08 |
papukaija |
phpmyadmin: status |
Incomplete |
Invalid |
|
| 2010-03-24 14:47:08 |
papukaija |
phpmyadmin: status |
Invalid |
Fix Released |
|
