Threaded Mode | Linear Mode

grungy · 04-05-2007 12:10 AM

If you ask me, it is a great security risk that anyone can access PMA just by entering http://www.domain.com/vhcs2/tools/pma/

Wanna know why? Think about it! Big Grin

If you ask me, a user should be logged to VHCS OMEGA to be able to access PMA!!!!

YES!

**BeNe** · 04-05-2007 12:13 AM

In which together slope is that here ??
I dont understand.... :konfus:

grungy · 04-05-2007 12:16 AM

BeNe Wrote:In which together slope is that here ??
I dont understand.... :konfus:

?

grungy · 04-05-2007 12:19 AM

Well just to point out, that the setup program in VHCS by default creates a passwordless account for the FTP user! So just by accessing the PMA URL for a domain, entering the FTP username and clicking login without a password would let a 'hacker' in and explose ftp accounts...

By default I mean, the setup program will let you just hit enter, and continue with the setup when you are asked for the FTP USER password...!

**BeNe** · 04-05-2007 12:20 AM

*klick* ok - now i am here Big Grin

mmmhh, the question is, how to secure PMA ?!
Why dont you use .htaccess ?
You can also change the folder name to anything and make a link in
the VHCS Menue.

**BeNe** · 04-05-2007 12:23 AM

grungy Wrote:Well just to point out, that the setup program in VHCS by default creates a passwordless account for the FTP user! So just by accessing the PMA URL for a domain, entering the FTP username and clicking login without a password would let a 'hacker' in and explose ftp accounts...

By default I mean, the setup program will let you just hit enter, and continue with the setup when you are asked for the FTP USER password...!

A Passwordless account by Default? Are you sure?
In the Setup you were ask about a password for vftp

grungy · 04-05-2007 12:23 AM

BeNe Wrote:*klick* ok - now i am here

mmmhh, the question is, how to secure PMA ?!
Why dont you use .htaccess ?
You can also change the folder name to anything and make a link in
the VHCS Menue.

Don't worry about me, I'm thinking about the most of the people out there...they will take things as they are, and leave the default setup.

grungy · 04-05-2007 12:24 AM

BeNe Wrote:
grungy Wrote:Well just to point out, that the setup program in VHCS by default creates a passwordless account for the FTP user! So just by accessing the PMA URL for a domain, entering the FTP username and clicking login without a password would let a 'hacker' in and explose ftp accounts...

By default I mean, the setup program will let you just hit enter, and continue with the setup when you are asked for the FTP USER password...!

A Passwordless account by Default? Are you sure?
In the Setup you were ask about a password for vftp

Just hit enter when you are asked for the password... Wink

**BeNe** · 04-05-2007 12:29 AM

Yeah - just hit enter! Big Grin

But come on, which Sysadmin hit "Enter" on this Question ?

grungy · 04-05-2007 12:32 AM

BeNe Wrote:Yeah - just hit enter!
But come on, which Sysadmin hit "Enter" on this Question ?

Yeah, but I like to test stuff...and since you ask, trunk that I was using had a bug that won't let proftpd connect to mysql if the vftp user had a password.

Threaded Mode \| Linear Mode Access to PMA to anyone???
Author	Message