Page 1 of 2
[Security] phpMyAdmin
Posted: Fri May 25, 2018 8:23 am
by toms
Hi,
Any user can open phpMyAdmin with
and delete the database...
This should only be possible with the globeadmin user.
Re: [Security] phpMyAdmin
Posted: Tue May 29, 2018 10:08 pm
by toms
Quick fix in config.inc.php to prompt for login/password:
Code: Select all
$cfg['Servers'][$i]['auth_type'] = 'cookie';
Re: [Security] phpMyAdmin
Posted: Sat Jun 02, 2018 7:07 am
by toms
This security issue didn't exist in nuBuilder Pro.
nupmalogin.php used the session/cookies:
https://github.com/nuSoftware/nuBuilder ... alogin.php
Re: [Security] phpMyAdmin / Important!
Posted: Thu Jun 07, 2018 10:39 am
by toms
I wonder why this important issue is being ignored. No reply, no fix, nothing. Shouldn't it be in your interest that nuBuilder is secure?
Basically, if I know that site xxx has nuBuilder installed, I can access the Database and see all data and do whatever I want.
So, please do something about it!
Re: [Security] phpMyAdmin
Posted: Fri Jun 08, 2018 2:26 am
by admin
toms,
I understand you think this is extremely important - and I agree.
But we are always doing our best to improve nuBuilder.
But that is a process we will take care of and I'm not going to have any third party try to tell us what to do.
Unless they SHOW ME THE MONEY! (to quote the guy in Jerry Maguire)
Just remember nuBuilder is free AND open source.
So if you believe there is a nuBuilder issue so important that it "Just can't wait" to be fixed.
You should fork nuBuilder in Github and fix it yourself in your own version.
I don't mean to be harsh but that is the way I feel.
Steven
Re: [Security] phpMyAdmin
Posted: Fri Jun 08, 2018 4:50 am
by toms
Ok thanks, at least I know you are aware of it.
Well, I solved it for myself (and published a fix) shortly after I had posted the exploit.
I'm more worried to see that some users have not secured their database.
Re: [Security] phpMyAdmin
Posted: Wed Jun 27, 2018 2:06 am
by admin
toms,
I think we have fixed this problem in the latest Github download.
Please let me know if it works for you.
Steven
Re: [Security] phpMyAdmin
Posted: Mon Jul 02, 2018 11:32 am
by toms
There are two things that I've noticed:
1.
Previously, just the nuBuilder DB was shown in phpMyAdmin. (The URL looked like this index.php?server=1&db=nubuilder4)
Now I see all Databases on the server. I'm not sure that's the way it should be.
2. First I open phpMyAdmin through the "Database" Button then close the browser tab, logout from nuBuilder and completely and close the browser.
When I open the browser again, phpMyAdmin can still be opened though the link
https://xxxx/nudb/.
But this is only the case in Chrome, not in Firefox (FF shows "please log into nubuilder")
The cookie seems to be persistent.
Re: [Security] phpMyAdmin
Posted: Thu Jul 05, 2018 3:19 am
by admin
Hi
I have fixed this now, please test and confirm
-Shane
Re: [Security] phpMyAdmin
Posted: Thu Jul 05, 2018 12:19 pm
by toms
Seems like everything now works as it should. Thanks!