I’ve recently seen alot of users getting hacked, so I’ve used some of my free time to look into this and I found a “security vulnerability” in phpMyAdmin which comes with XAMPP. The control user pma comes with an empty password as default, and XAMPP does not alert the user about this.

I’m not going to explain in details how you can take advantage of this vulnerability, but to explain it in a single sentence: the user pma has more permissions than it should have.

NOTE: The instructions below will break pmadb. pmadb is not necessary to host an OpenTibia server, so if you want to make this easy for you it’s just to drop the control user. If you want to keep pmadb and fix this the proper way you can do as stated in the “Change the password of the “pma” user in phpMyAdmin” section here: XAMPP Security: Create “pma” Password Not Covered by the Security Script and Password Protect XAMPP Folders and Directories.

Instructions to drop the control user:
1. Enter phpMyAdmin with root user.
2. Below the phpMyAdmin logo (at the left sidebar) you can see a button that has the text SQL, click on it.
3. A textbox will appear where you can insert a query, insert this:

Code:
DROP USER 'pma'@'localhost';

4. Click on Execute, if you get any error post it in this thread and we’ll try to help you.

Now to be sure it worked, logout from phpmyadmin and try to login with the user pma without any password. If it doesn’t work then your server should be secure against this vulnerability.

Advertisements