Easy Hosting Control Panel (EHCP) :: Force Edition

EHCP General => General => Topic started by: earnolmartin on March 13, 2016, 04:29:02 pm

Title: CRITCAL SECURITY FLAW - UPDATE IMMEDIATELY
Post by: earnolmartin on March 13, 2016, 04:29:02 pm

Update to the latest version of EHCP Force immediately.  A security flaw has been identified where the MySQL root database password is revealed along with every MySQL user and password combination. 

The flaw was pre-existing in EHCP.  Thus, this flaw affects EHCP users as well!  I have notified the developer of EHCP regarding this flaw. 

Recommended actions (DO IN ORDER):

• Update immediately to the latest version
• Change MySQL root user password
• Update /var/www/new/ehcp/config.php with new root MySQL user password
• Change all MySQL user passwords via the panel as the admin account and inform your users!

To change your MySQL root user password, first connect to MySQL using your current root user's password like so:

Code: [Select]

mysql -uroot -p'YOURPASSWORDHERE'

Now, change the root user password by running the following:

Code: [Select]

SET PASSWORD FOR 'root'@'localhost' = PASSWORD('MyNewPass');
flush privileges;

Now, update the root user password in the EHCP config:

Code: [Select]

sudo nano /var/www/new/ehcp/config.php

Connect to the panel using the admin account.  List MySQL databases.  Change the password for all users.  Update the applications with the latest password.

I apologize for the inconvenience this may have caused.  Believe me, I was not thrilled that I had to change 80+ database passwords on my own servers.