Fennes
Verified User
Hello,
Maybe it's allready posted on this forum , but i couldn't find it.
So i'm going to post it (again).
When i bought DA it was deliverd with a standard packed of phpmyadmin version 2.6.4 pl1.
Couple weeks later an exploit came out for this version.
(05-10-05 Netherlands timezone)
This exploit is about an local inclusion bug.
Simple it means you can read files from the server if you know it's location. Now it's not a criticale bug but i think in combination with DA it is. Because for example, DA stores it's mysql root password for da_admin here: /usr/local/directadmin/conf/mysql.conf
some of you will think , your stupid if you don't remove that file, and don't update Phpmyadmin. Well i say you this, i've googled arround with keywords "Hosting Directadmin" and i was supprised how many hosting companies didn't update there Phpmyadmin. for example (to show this bug is really working)
here are 2 pics of an server with DA and Old phpmyadmin.
For my own behave and for the hoster i don;t let you see mysql.conf but i shall let you see a part of his passwd and his resolv.conf
but Remember i'm not a hacker or something like that, i;m only conserned about this , because in this content it's a pretty seriouse bug i think.
So update your Phpmyadmin, how to do:
http://www.directadmin.com/forum/showthread.php?s=&threadid=10608
and than your save for this bug.
And move you mysql.conf to another dir or delete it.
I hope this information is welcome!
With Kind Regards
Note.
I know about the chmod settings of the DA conf. files but
still it's a tricky exploit i think
Maybe it's allready posted on this forum , but i couldn't find it.
So i'm going to post it (again).
When i bought DA it was deliverd with a standard packed of phpmyadmin version 2.6.4 pl1.
Couple weeks later an exploit came out for this version.
(05-10-05 Netherlands timezone)
This exploit is about an local inclusion bug.
Simple it means you can read files from the server if you know it's location. Now it's not a criticale bug but i think in combination with DA it is. Because for example, DA stores it's mysql root password for da_admin here: /usr/local/directadmin/conf/mysql.conf
some of you will think , your stupid if you don't remove that file, and don't update Phpmyadmin. Well i say you this, i've googled arround with keywords "Hosting Directadmin" and i was supprised how many hosting companies didn't update there Phpmyadmin. for example (to show this bug is really working)
here are 2 pics of an server with DA and Old phpmyadmin.
For my own behave and for the hoster i don;t let you see mysql.conf but i shall let you see a part of his passwd and his resolv.conf
but Remember i'm not a hacker or something like that, i;m only conserned about this , because in this content it's a pretty seriouse bug i think.
So update your Phpmyadmin, how to do:
http://www.directadmin.com/forum/showthread.php?s=&threadid=10608
and than your save for this bug.
And move you mysql.conf to another dir or delete it.
I hope this information is welcome!
With Kind Regards
Note.
I know about the chmod settings of the DA conf. files but
still it's a tricky exploit i think
Last edited: