pagoda phpmyadmin Unauthorized access vulnerability

This article is only for study , It is strictly forbidden to use it for illegal purposes , Otherwise, we will be responsible for the consequences .

Vulnerability profile

【 Pagoda panel 】 Emergency security update notification ,Linux panel 7.4.2 edition /Windows panel 6.8 There are security risks in version , There is no such risk in other versions . An urgent update has been released , All users using this version must upgrade to the latest version , Update method , Login panel can be upgraded directly , If there is a problem with the update , Please log in to pagoda forum for feedback or contact customer service for feedback

Holes affect

Linux Official version 7.4.2
Linux The beta 7.5.13
Windows Official version 6.8

Installed phpmyadmin,mysql database .（ Other versions do not affect ）

to open up 888 And it's not configured http authentication

FOFA grammar

app=" pagoda -Linux Control panel "

Loophole recurrence

Usually installed on the pagoda panel phpmyadmin Database management software , As long as the corresponding method , You can operate the database without user name and password

among 888 Is the default port , If custom port , It may be other ports , You can test whether there is this vulnerability

visit http://xxx.xxx.xxx.xxx:888/pma that will do

Bug repair

Upgraded version , Or use a safe version

By modifying the pma The configuration file , Mask the corresponding port , Closing public access rights and other methods can also solve