vicidial.org

[antuan]

Hi everyone,

after installing vicibox 7.0.2 i run phpMyAdmin

192.168.1.1/phpMyAdmin/

and it showed error:

Access forbidden!

You don't have permission to access the requested directory. There is either no index document or the directory is read-protected.
If you think this is a server error, please contact the webmaster.

Error 403

192.168.1.1
Apache

I Disabled Yast Firewall but the problem did' not fixed
In the version vicibox 5.x and 6.x i run 'yast -i phpMyAdmin' or 'zypper in phpMyAdmin' and run very well.

Has anything changed to the version vicibox 7.x?

can you help me?

Thanks a lot!

[williamconley]

NOT related to Firewall. If it was a firewall issue, you would not have received a response from Apache. Apache told you that you do not have permission or there is some other reason it can not show this document to you.

Note that phpMyAdmin is an often-hacked application that is Very Useful but also very dangerous. As such, I would not be surprised to hear that Kumba locked that folder to specific IP ranges in the apache configuration files for Vicibox 7.X. We usually lock the folder so everyone in the company must have a digest password for it, but IP locking is just as good. Check out the apache configuration files in /etc/apache2 probably in "default-server.conf" or in a vhosts.d entry or a conf.d entry.

You can probably also check the logs in /var/log/apache2 and see if there is a hint.

And you're sure you told the installer to install phpMyAdmin?

[Kumba]

I removed the ability to set-up phpMyAdmin from the installer. It's such a huge security issue and we had clients saying 'y' to installing it which resulted in them getting hacked and their server used from everything from BitCoin mining to spam to DDoS zombies.

You now have to manually enable it. It's already installed, but no one has access to it.

If you REALLY want to enable phpMyAdmin, you would do the following:

1) sed -i 's/denied/granted/g' /etc/apache2/conf.d/phpMyAdmin.conf
2) apache2ctl -k graceful (or service apache2 restart)
3) Edit /etc/phpMyAdmin/config.inc.php if your database is on another server or you have any custom things to set.

PLEASE PLEASE keep in mind that phpMyAdmin is IMMENSELY insecure and having it not properly secured almost ALWAYS results in getting hacked!!!!

[williamconley]

We lock the folder with a password in apache. Thus no information will be provided until after the pass is provided, regardless of the content of the folder. Plus Dynamic Good Guys on the server ... so far no hacks.

add new phpMyAdmin directory

Code: Select all

  nano +75 /etc/apache2/default-server.conf

below '''cgi-bin''' directory setup,

Code: Select all

 # Protect phpMyAdmin folder from attacks
 <Directory /srv/www/htdocs/phpMyAdmin>
         AllowOverride None
         Order allow,deny
         Allow from all
         AuthType Basic
         AuthName "phpMyAdmin -- Authorized Managers Only -- "
         AuthUserFile /srv/www/passwd/phpmyadmin
         Require valid-user
 </Directory>

Change the IP address to "localhost" in the config file

Code: Select all

nano +31 /srv/www/htdocs/phpMyAdmin/config.inc.php

create the password file

Code: Select all

mkdir /srv/www/passwd
htpasswd2 -c /srv/www/passwd/phpmyadmin admin

Add more users to the password file (in case you want to delete some user's access later without deleting everyone):

Code: Select all

htpasswd2 /srv/www/passwd/phpmyadmin poundteam

Note the missing "-c" which would wipe out the old password file if one existed. Obviously don't want to do that when adding a second user. But a technician accidentally does this once a month. LOL

Finish

Code: Select all

service apache2 restart

And poof no access to the phpMyAdmin folder without the password, which is unrelated to any "other" passwords. You must have "The Password" for phpMyAdmin to get in. *)

[Kumba]

That's the most recommended way to do it. Not the easiest to administer for an inexperienced admin. Our problem was that clients would install it on things that didn't matter like Archive servers and Dialers and it would just get hacked. The kicker is phpMyAdmin wasn't even configured to go anywhere, but it was still a vector of attack.

That's why I decided to make it a manual install option. Those who really need it will understand what it is.

[williamconley]

Duly noted. We'll make a note during installation to wake it up on servers where its relevant.