Ric Posted March 28, 2010 Report Share Posted March 28, 2010 UniServer 5.6.2-Nano This release of Uniform Server is a security update.Although there have been no reported security breaches a potential window of opportunity has been found.Versions affected, all Mona and Nano series. Problem:When changing MySQL root password “localhost” is correctly updated however host “127.0.0.1” remains unchanged. This is undesirable and should be rectified straight away. Solution:Solution is to download the latest version of Uniform Server. However this may be inconvenient. Existing installation are easily upgradeable as follows: 1] Edit file: UniServer\home\admin\www\mqsetup.phpLocate this code:// Create query string (not sure if you need to flush privs) $query = 'SET PASSWORD FOR \'root\'@\'localhost\' = PASSWORD(\'' . $nwpass . '\')'; $result = mysql_query($query);Just below it add the following code:// Create query string $query = 'SET PASSWORD FOR \'root\'@\'127.0.0.1\' = PASSWORD(\'' . $nwpass . '\')'; $result = mysql_query($query); $query = "FLUSH PRIVILEGES"; $result = mysql_query($query);2] Start servers3] From Unitray run restore MySQL password (root, name and password both restored to root)4] From Apanel set a new MySQL root password or use the one you previously set. Apologies for any inconvenience caused Download 5.6.2-Nano Regards,The Uniform Server Development Team Link to comment Share on other sites More sharing options...
Ric Posted March 28, 2010 Author Report Share Posted March 28, 2010 “It takes a brave man to admit to a security issue and do it publicly”.Well I have no issues with that. Seems he thought it a good idea to either ignore it or brush it under the carpet. No! Never been my way, if there is a potential security issues it is already a security matter that should be address. “User report, shortened version;” The above came to light while testing Z-Con. After creating a restricted user, started testing with MySQL command prompt for accessibility, this was using host 127.0.0.1 and password. Access denied, using password. However using localhost and password was fine. Reproducible and confirmed, hence reason for a security update. It appears no one has ever tested this particular scenario hence the issue has never come to light. Just thought you would like some background to this issue. All the bestRic Link to comment Share on other sites More sharing options...
Recommended Posts