Auto-login Bug

quoviz_dev · October 22, 2020, 5:49pm

Provider: OVH

Virtualization Type: VPS

System: Centos 7.5

Installation option:

OLS or Enterprise?
OLS

Installing from official server or mirror server?
official

Install Memcached extension for PHP?
yes

Install LiteSpeed Memcached?
yes

Install Memcached?
yes

Install Redis extension for PHP?
no

Install Redis?
no

Problem:

Since version 2.0.3 After using the autologin for the Database, you are able to logout of phpMyadmin as well as Cyberpanel but even after logging out of both, Anyone is able to re-access phpMyadmin by just going to https://servername:8090/phpmyadmin/index.php and have full access to the session of the last person who was logged in. The session is not closed at all. This is a huge security breech if being used on a pc that is not a personal machine.

maxin · October 26, 2020, 3:23am

Yes, correct, the login session is not clearing even after logout unless we clear the browser cache and session ourself , kind of security issue.

mcbsys · January 13, 2021, 1:42am

Just noticed this on my new CyberPanel 2 build 3 machine. Very concerning. Fortunately I am able to limit access to port 8090 (and thus phpMyAdmin) to my IP address.

I spent some time trying to force phpMyAdmin to expire the logon cookie after 10 seconds, but was not successful. I tested by adding this line to /usr/local/CyberCP/public/phpmyadmin/config.inc.php:

$cfg[‘LoginCookieValidity’] = 10;

I think the phpMyAdmin Signon authentication mode that they are using (Installation — phpMyAdmin 5.1.4 documentation) does not use the phpMyAdmin cookies.

There is a suggestion here about how to revert to normal phpMyAdmin logon:

Disabling the Signon authentication might be the most secure option for now.