Author Topic: CRITCAL SECURITY FLAW - UPDATE IMMEDIATELY  (Read 705 times)

earnolmartin

  • Administrator
  • Full Member
  • *****
  • Posts: 139
    • View Profile
CRITCAL SECURITY FLAW - UPDATE IMMEDIATELY
« on: March 13, 2016, 04:29:02 pm »
Update to the latest version of EHCP Force immediately.  A security flaw has been identified where the MySQL root database password is revealed along with every MySQL user and password combination. 

The flaw was pre-existing in EHCP.  Thus, this flaw affects EHCP users as well!  I have notified the developer of EHCP regarding this flaw. 

Recommended actions (DO IN ORDER):

  • Update immediately to the latest version
  • Change MySQL root user password
  • Update /var/www/new/ehcp/config.php with new root MySQL user password
  • Change all MySQL user passwords via the panel as the admin account and inform your users!

To change your MySQL root user password, first connect to MySQL using your current root user's password like so:

Code: [Select]
mysql -uroot -p'YOURPASSWORDHERE'

Now, change the root user password by running the following:

Code: [Select]
SET PASSWORD FOR 'root'@'localhost' = PASSWORD('MyNewPass');
flush privileges;

Now, update the root user password in the EHCP config:

Code: [Select]
sudo nano /var/www/new/ehcp/config.php

Connect to the panel using the admin account.  List MySQL databases.  Change the password for all users.  Update the applications with the latest password.

I apologize for the inconvenience this may have caused.  Believe me, I was not thrilled that I had to change 80+ database passwords on my own servers.
« Last Edit: March 13, 2016, 10:45:45 pm by earnolmartin »