Any user can open phpMyAdmin with
Code: Select all
window.open('nupmalogin.php');and delete the database...
This should only be possible with the globeadmin user.
Welcome to the nuBuilder Forums!
Register and log in to access exclusive forums and content available only to registered users.
Register and log in to access exclusive forums and content available only to registered users.
[Security] phpMyAdmin
-
toms
- Posts: 785
- Joined: Sun Oct 14, 2018 11:25 am
[Security] phpMyAdmin
Hi,
Any user can open phpMyAdmin with
and delete the database...
This should only be possible with the globeadmin user.
Any user can open phpMyAdmin with
and delete the database...
This should only be possible with the globeadmin user.
-
toms
- Posts: 785
- Joined: Sun Oct 14, 2018 11:25 am
Re: [Security] phpMyAdmin
Quick fix in config.inc.php to prompt for login/password:
Code: Select all
$cfg['Servers'][$i]['auth_type'] = 'cookie';-
toms
- Posts: 785
- Joined: Sun Oct 14, 2018 11:25 am
Re: [Security] phpMyAdmin
This security issue didn't exist in nuBuilder Pro.
nupmalogin.php used the session/cookies:
https://github.com/nuSoftware/nuBuilder ... alogin.php
nupmalogin.php used the session/cookies:
https://github.com/nuSoftware/nuBuilder ... alogin.php
-
toms
- Posts: 785
- Joined: Sun Oct 14, 2018 11:25 am
Re: [Security] phpMyAdmin / Important!
I wonder why this important issue is being ignored. No reply, no fix, nothing. Shouldn't it be in your interest that nuBuilder is secure?
Basically, if I know that site xxx has nuBuilder installed, I can access the Database and see all data and do whatever I want.
So, please do something about it!
Basically, if I know that site xxx has nuBuilder installed, I can access the Database and see all data and do whatever I want.
So, please do something about it!
Re: [Security] phpMyAdmin
toms,
I understand you think this is extremely important - and I agree.
But we are always doing our best to improve nuBuilder.
But that is a process we will take care of and I'm not going to have any third party try to tell us what to do.
Unless they SHOW ME THE MONEY! (to quote the guy in Jerry Maguire)
Just remember nuBuilder is free AND open source.
So if you believe there is a nuBuilder issue so important that it "Just can't wait" to be fixed.
You should fork nuBuilder in Github and fix it yourself in your own version.
I don't mean to be harsh but that is the way I feel.
Steven
I understand you think this is extremely important - and I agree.
But we are always doing our best to improve nuBuilder.
But that is a process we will take care of and I'm not going to have any third party try to tell us what to do.
Unless they SHOW ME THE MONEY! (to quote the guy in Jerry Maguire)
Just remember nuBuilder is free AND open source.
So if you believe there is a nuBuilder issue so important that it "Just can't wait" to be fixed.
You should fork nuBuilder in Github and fix it yourself in your own version.
I don't mean to be harsh but that is the way I feel.
Steven
-
toms
- Posts: 785
- Joined: Sun Oct 14, 2018 11:25 am
Re: [Security] phpMyAdmin
Ok thanks, at least I know you are aware of it.
Well, I solved it for myself (and published a fix) shortly after I had posted the exploit.
I'm more worried to see that some users have not secured their database.
Well, I solved it for myself (and published a fix) shortly after I had posted the exploit.
I'm more worried to see that some users have not secured their database.
Re: [Security] phpMyAdmin
toms,
I think we have fixed this problem in the latest Github download.
Please let me know if it works for you.
Steven
I think we have fixed this problem in the latest Github download.
Please let me know if it works for you.
Steven
-
toms
- Posts: 785
- Joined: Sun Oct 14, 2018 11:25 am
Re: [Security] phpMyAdmin
There are two things that I've noticed:
1.
Previously, just the nuBuilder DB was shown in phpMyAdmin. (The URL looked like this index.php?server=1&db=nubuilder4)
Now I see all Databases on the server. I'm not sure that's the way it should be.
2. First I open phpMyAdmin through the "Database" Button then close the browser tab, logout from nuBuilder and completely and close the browser.
When I open the browser again, phpMyAdmin can still be opened though the link https://xxxx/nudb/.
But this is only the case in Chrome, not in Firefox (FF shows "please log into nubuilder")
The cookie seems to be persistent.
1.
Previously, just the nuBuilder DB was shown in phpMyAdmin. (The URL looked like this index.php?server=1&db=nubuilder4)
Now I see all Databases on the server. I'm not sure that's the way it should be.
2. First I open phpMyAdmin through the "Database" Button then close the browser tab, logout from nuBuilder and completely and close the browser.
When I open the browser again, phpMyAdmin can still be opened though the link https://xxxx/nudb/.
But this is only the case in Chrome, not in Firefox (FF shows "please log into nubuilder")
The cookie seems to be persistent.
-
toms
- Posts: 785
- Joined: Sun Oct 14, 2018 11:25 am