+- ispCP - Board - Support (http://www.isp-control.net/forum)
+-- Forum: ispCP Omega Development Area (/forum-1.html)
+--- Forum: Suggestions (/forum-2.html)
+--- Thread: Access to PMA to anyone??? (/thread-323.html)
Pages: 1 2
Access to PMA to anyone??? - grungy - 04-05-2007 12:10 AM
If you ask me, it is a great security risk that anyone can access PMA just by entering http://www.domain.com/vhcs2/tools/pma/
Wanna know why? Think about it!
If you ask me, a user should be logged to VHCS OMEGA to be able to access PMA!!!!
YES!
RE: Access to PMA to anyone??? - BeNe - 04-05-2007 12:13 AM
In which together slope is that here ??
I dont understand.... :konfus:
RE: Access to PMA to anyone??? - grungy - 04-05-2007 12:16 AM
BeNe Wrote:In which together slope is that here ??
I dont understand.... :konfus:
?
RE: Access to PMA to anyone??? - grungy - 04-05-2007 12:19 AM
Well just to point out, that the setup program in VHCS by default creates a passwordless account for the FTP user! So just by accessing the PMA URL for a domain, entering the FTP username and clicking login without a password would let a 'hacker' in and explose ftp accounts...
By default I mean, the setup program will let you just hit enter, and continue with the setup when you are asked for the FTP USER password...!
RE: Access to PMA to anyone??? - BeNe - 04-05-2007 12:20 AM
*klick* ok - now i am here
mmmhh, the question is, how to secure PMA ?!
Why dont you use .htaccess ?
You can also change the folder name to anything and make a link in
the VHCS Menue.
RE: Access to PMA to anyone??? - BeNe - 04-05-2007 12:23 AM
grungy Wrote:Well just to point out, that the setup program in VHCS by default creates a passwordless account for the FTP user! So just by accessing the PMA URL for a domain, entering the FTP username and clicking login without a password would let a 'hacker' in and explose ftp accounts...
By default I mean, the setup program will let you just hit enter, and continue with the setup when you are asked for the FTP USER password...!
A Passwordless account by Default? Are you sure?
In the Setup you were ask about a password for vftp
RE: Access to PMA to anyone??? - grungy - 04-05-2007 12:23 AM
BeNe Wrote:*klick* ok - now i am here
mmmhh, the question is, how to secure PMA ?!
Why dont you use .htaccess ?
You can also change the folder name to anything and make a link in
the VHCS Menue.
Don't worry about me, I'm thinking about the most of the people out there...they will take things as they are, and leave the default setup.
RE: Access to PMA to anyone??? - grungy - 04-05-2007 12:24 AM
BeNe Wrote:grungy Wrote:Well just to point out, that the setup program in VHCS by default creates a passwordless account for the FTP user! So just by accessing the PMA URL for a domain, entering the FTP username and clicking login without a password would let a 'hacker' in and explose ftp accounts...
By default I mean, the setup program will let you just hit enter, and continue with the setup when you are asked for the FTP USER password...!
A Passwordless account by Default? Are you sure?
In the Setup you were ask about a password for vftp
Just hit enter when you are asked for the password...
RE: Access to PMA to anyone??? - BeNe - 04-05-2007 12:29 AM
Yeah - just hit enter!
But come on, which Sysadmin hit "Enter" on this Question ?
RE: Access to PMA to anyone??? - grungy - 04-05-2007 12:32 AM
BeNe Wrote:Yeah - just hit enter!
But come on, which Sysadmin hit "Enter" on this Question ?
Yeah, but I like to test stuff...and since you ask, trunk that I was using had a bug that won't let proftpd connect to mysql if the vftp user had a password.