Public bug reported: Binary package hint: phpmyadmin
The mysql project, as stated in http://dev.mysql.com/doc/refman/5.0/en /default-privileges.html Two anonymous-user accounts are created, each with an empty username. The anonymous accounts have no password, so anyone can use them to connect to the MySQL server. On Unix, both anonymous accounts are for connections from the local host. Connections must be made from the local host by specifying a hostname of localhost for one of the accounts, or the actual hostname or IP number for the other. These accounts have all privileges for the test database and for other databases with names that start with test_. So, the mysql-server is secure, because it accept anonymous account login from localhost only but phpmyadmin is acting as proxy to mysql server so anyone can access the test database. At least, I have found many real world servers running phpmyadmin at /phpmyadmin and I can access the account. A person from #ubuntu-th also can access the test database, which the host(also on #ubuntu-th) had installed Simple Machines Forum into and he can export smf_user from it. Steps to reproduce: 1. Go to any phpmyadmin instance. 2. Type anything (but not existing user) into the username. 3. Login (don't enter anything as password) Suggestions: 1. Remove the anonymous account when phpmyadmin is installed, and show notice message to the user. (preferred in the same way as "Please restart any running Firefoxes" message as it isn't blocking dpkg) 2. Disable this account login via phpmyadmin. 3. Inform user when install phpmyadmin of this bug. I don't think this bug should fix in mysql because the localhost restriction is just fine. ** Affects: phpmyadmin Importance: Undecided Status: New ** Affects: phpmyadmin (Ubuntu) Importance: Undecided Status: New ** Also affects: phpmyadmin Importance: Undecided Status: New ** Description changed: Binary package hint: phpmyadmin The mysql project, as stated in http://dev.mysql.com/doc/refman/5.0/en /default-privileges.html Two anonymous-user accounts are created, each with an empty username. The anonymous accounts have no password, so anyone can use them to connect to the MySQL server. On Unix, both anonymous accounts are for connections from the local host. Connections must be made from the local host by specifying a hostname of localhost for one of the accounts, or the actual hostname or IP number for the other. These accounts have all privileges for the test database and for other databases with names that start with test_. So, the mysql-server is secure, because it accept anonymous account login from localhost only but phpmyadmin is acting as proxy to mysql server so anyone can access the test database. At least, I have found many real world servers running phpmyadmin at /phpmyadmin and I can access the account. A person from #ubuntu-th also can access the test database, which the host(also on #ubuntu-th) had installed Simple Machines Forum into and he can export smf_user from it. Suggestions: 1. Remove the anonymous account when phpmyadmin is installed, and show notice message to the user. (preferred in the same way as "Please restart any running Firefoxes" message as it isn't blocking dpkg) 2. Disable this account login via phpmyadmin. + 3. Inform user when install phpmyadmin of this bug. + + I don't think this bug should fix in mysql because the localhost + restriction is just fine. ** Description changed: Binary package hint: phpmyadmin The mysql project, as stated in http://dev.mysql.com/doc/refman/5.0/en /default-privileges.html Two anonymous-user accounts are created, each with an empty username. The anonymous accounts have no password, so anyone can use them to connect to the MySQL server. On Unix, both anonymous accounts are for connections from the local host. Connections must be made from the local host by specifying a hostname of localhost for one of the accounts, or the actual hostname or IP number for the other. These accounts have all privileges for the test database and for other databases with names that start with test_. So, the mysql-server is secure, because it accept anonymous account login from localhost only but phpmyadmin is acting as proxy to mysql server so anyone can access the test database. At least, I have found many real world servers running phpmyadmin at /phpmyadmin and I can access the account. A person from #ubuntu-th also can access the test database, which the host(also on #ubuntu-th) had installed Simple Machines Forum into and he can export smf_user from it. + Steps to reproduce: + 1. Go to any phpmyadmin instance. + 2. Type anything (but not existing user) into the username. + 3. Login (don't enter anything as password) + Suggestions: 1. Remove the anonymous account when phpmyadmin is installed, and show notice message to the user. (preferred in the same way as "Please restart any running Firefoxes" message as it isn't blocking dpkg) 2. Disable this account login via phpmyadmin. 3. Inform user when install phpmyadmin of this bug. I don't think this bug should fix in mysql because the localhost restriction is just fine. -- Anyone can connect with any username but no password https://bugs.launchpad.net/bugs/281290 You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
