Easy Hosting Control Panel (EHCP) :: Force Edition

EHCP General => General => Topic started by: earnolmartin on March 13, 2016, 04:29:02 pm

Post by: earnolmartin on March 13, 2016, 04:29:02 pm
Update to the latest version of EHCP Force immediately.  A security flaw has been identified where the MySQL root database password is revealed along with every MySQL user and password combination. 

The flaw was pre-existing in EHCP.  Thus, this flaw affects EHCP users as well!  I have notified the developer of EHCP regarding this flaw. 

Recommended actions (DO IN ORDER):

To change your MySQL root user password, first connect to MySQL using your current root user's password like so:

Code: [Select]
mysql -uroot -p'YOURPASSWORDHERE'

Now, change the root user password by running the following:

Code: [Select]
SET PASSWORD FOR 'root'@'localhost' = PASSWORD('MyNewPass');
flush privileges;

Now, update the root user password in the EHCP config:

Code: [Select]
sudo nano /var/www/new/ehcp/config.php

Connect to the panel using the admin account.  List MySQL databases.  Change the password for all users.  Update the applications with the latest password.

I apologize for the inconvenience this may have caused.  Believe me, I was not thrilled that I had to change 80+ database passwords on my own servers.