Current time: 11-16-2024, 06:16 AM Hello There, Guest! (LoginRegister)


Post Reply 
Access to PMA to anyone???
Author Message
grungy Offline
Junior Member
*

Posts: 190
Joined: Dec 2006
Reputation: 6
Post: #1
Access to PMA to anyone???
If you ask me, it is a great security risk that anyone can access PMA just by entering http://www.domain.com/vhcs2/tools/pma/



Wanna know why? Think about it! Big Grin Smile

If you ask me, a user should be logged to VHCS OMEGA to be able to access PMA!!!!

YES!
04-05-2007 12:10 AM
Visit this user's website Find all posts by this user Quote this message in a reply
BeNe Offline
Moderator
*****
Moderators

Posts: 5,899
Joined: Jan 2007
Reputation: 68
Post: #2
RE: Access to PMA to anyone???
In which together slope is that here ??
I dont understand.... :konfus:
04-05-2007 12:13 AM
Visit this user's website Find all posts by this user Quote this message in a reply
grungy Offline
Junior Member
*

Posts: 190
Joined: Dec 2006
Reputation: 6
Post: #3
RE: Access to PMA to anyone???
BeNe Wrote:In which together slope is that here ??
I dont understand.... :konfus:

?
04-05-2007 12:16 AM
Visit this user's website Find all posts by this user Quote this message in a reply
grungy Offline
Junior Member
*

Posts: 190
Joined: Dec 2006
Reputation: 6
Post: #4
RE: Access to PMA to anyone???
Well just to point out, that the setup program in VHCS by default creates a passwordless account for the FTP user! So just by accessing the PMA URL for a domain, entering the FTP username and clicking login without a password would let a 'hacker' in and explose ftp accounts...

By default I mean, the setup program will let you just hit enter, and continue with the setup when you are asked for the FTP USER password...!
(This post was last modified: 04-05-2007 12:20 AM by grungy.)
04-05-2007 12:19 AM
Visit this user's website Find all posts by this user Quote this message in a reply
BeNe Offline
Moderator
*****
Moderators

Posts: 5,899
Joined: Jan 2007
Reputation: 68
Post: #5
RE: Access to PMA to anyone???
*klick* ok - now i am here Big Grin

mmmhh, the question is, how to secure PMA ?!
Why dont you use .htaccess ?
You can also change the folder name to anything and make a link in
the VHCS Menue.
(This post was last modified: 04-05-2007 12:20 AM by BeNe.)
04-05-2007 12:20 AM
Visit this user's website Find all posts by this user Quote this message in a reply
BeNe Offline
Moderator
*****
Moderators

Posts: 5,899
Joined: Jan 2007
Reputation: 68
Post: #6
RE: Access to PMA to anyone???
grungy Wrote:Well just to point out, that the setup program in VHCS by default creates a passwordless account for the FTP user! So just by accessing the PMA URL for a domain, entering the FTP username and clicking login without a password would let a 'hacker' in and explose ftp accounts...

By default I mean, the setup program will let you just hit enter, and continue with the setup when you are asked for the FTP USER password...!

A Passwordless account by Default? Are you sure?
In the Setup you were ask about a password for vftp
04-05-2007 12:23 AM
Visit this user's website Find all posts by this user Quote this message in a reply
grungy Offline
Junior Member
*

Posts: 190
Joined: Dec 2006
Reputation: 6
Post: #7
RE: Access to PMA to anyone???
BeNe Wrote:*klick* ok - now i am here Big Grin

mmmhh, the question is, how to secure PMA ?!
Why dont you use .htaccess ?
You can also change the folder name to anything and make a link in
the VHCS Menue.

Don't worry about me, I'm thinking about the most of the people out there...they will take things as they are, and leave the default setup.
04-05-2007 12:23 AM
Visit this user's website Find all posts by this user Quote this message in a reply
grungy Offline
Junior Member
*

Posts: 190
Joined: Dec 2006
Reputation: 6
Post: #8
RE: Access to PMA to anyone???
BeNe Wrote:
grungy Wrote:Well just to point out, that the setup program in VHCS by default creates a passwordless account for the FTP user! So just by accessing the PMA URL for a domain, entering the FTP username and clicking login without a password would let a 'hacker' in and explose ftp accounts...

By default I mean, the setup program will let you just hit enter, and continue with the setup when you are asked for the FTP USER password...!

A Passwordless account by Default? Are you sure?
In the Setup you were ask about a password for vftp

Just hit enter when you are asked for the password...Wink
04-05-2007 12:24 AM
Visit this user's website Find all posts by this user Quote this message in a reply
BeNe Offline
Moderator
*****
Moderators

Posts: 5,899
Joined: Jan 2007
Reputation: 68
Post: #9
RE: Access to PMA to anyone???
Yeah - just hit enter! Big Grin
But come on, which Sysadmin hit "Enter" on this Question ?
04-05-2007 12:29 AM
Visit this user's website Find all posts by this user Quote this message in a reply
grungy Offline
Junior Member
*

Posts: 190
Joined: Dec 2006
Reputation: 6
Post: #10
RE: Access to PMA to anyone???
BeNe Wrote:Yeah - just hit enter! Big Grin
But come on, which Sysadmin hit "Enter" on this Question ?

Yeah, but I like to test stuff...and since you ask, trunk that I was using had a bug that won't let proftpd connect to mysql if the vftp user had a password.
04-05-2007 12:32 AM
Visit this user's website Find all posts by this user Quote this message in a reply
Post Reply 


Forum Jump:


User(s) browsing this thread: 1 Guest(s)