Jump to content
The Uniform Server Community

UniServer 5.6.2-Nano


Ric
 Share

Recommended Posts

UniServer 5.6.2-Nano

 

This release of Uniform Server is a security update.

Although there have been no reported security breaches a potential window of opportunity has been found.

Versions affected, all Mona and Nano series.

 

Problem:

When changing MySQL root password “localhost” is correctly updated however host “127.0.0.1” remains unchanged. This is undesirable and should be rectified straight away.

 

Solution:

Solution is to download the latest version of Uniform Server. However this may be inconvenient. Existing installation are easily upgradeable as follows:

 

1] Edit file: UniServer\home\admin\www\mqsetup.php

Locate this code:

// Create query string (not sure if you need to flush privs)
$query = 'SET PASSWORD FOR \'root\'@\'localhost\' = PASSWORD(\'' . $nwpass . '\')';
$result = mysql_query($query);

Just below it add the following code:

// Create query string
$query = 'SET PASSWORD FOR \'root\'@\'127.0.0.1\' = PASSWORD(\'' . $nwpass . '\')';
$result = mysql_query($query);

$query = "FLUSH PRIVILEGES";
$result = mysql_query($query);

2] Start servers

3] From Unitray run restore MySQL password (root, name and password both restored to root)

4] From Apanel set a new MySQL root password or use the one you previously set.

 

Apologies for any inconvenience caused

 

Download 5.6.2-Nano

 

Regards,

The Uniform Server Development Team :)

Link to comment
Share on other sites

“It takes a brave man to admit to a security issue and do it publicly”.

Well I have no issues with that. Seems he thought it a good idea to either ignore it or brush it under the carpet.

 

No! Never been my way, if there is a potential security issues it is already a security matter that should be address.

 

“User report, shortened version;”

 

The above came to light while testing Z-Con. After creating a restricted user, started testing with MySQL command prompt for accessibility, this was using host 127.0.0.1 and password.

 

Access denied, using password. However using localhost and password was fine.

 

Reproducible and confirmed, hence reason for a security update. :)

 

It appears no one has ever tested this particular scenario hence the issue has never come to light.

 

Just thought you would like some background to this issue.

 

All the best

Ric :)

Link to comment
Share on other sites

 Share

×
×
  • Create New...