TUCoPS :: Web :: Apps :: mysql7.txt

MySQL File Structure Weakness

COMMAND

    MySQL

SYSTEMS AFFECTED

    PCCS MySQL DB Admin Tool v1.2.3

PROBLEM

    Steven  Vittitoe  found  following.   This  advisory  highlights a
    weakness in the  file structure of  the PCCS MySQL  Database Admin
    Tool.   This web  application can  expose a  mySQL administrator's
    password.

    The default install  requires you to  use a directory  that is web
    accessible.   Under  that  directory  there  is a directory called
    incs.  This directory contains a file called dbconnect.inc.   This
    file  stores  common  functions,   host  names,  and  plain   text
    administrator  password.   The  one  good  point  is  that you are
    required to manually  enter the password  in this directory.   But
    never underestimate  the power  of idiots.   So, in  short  anyone
    could go to

        http://your_site.com/pccsmysqladm/incs/dbconnect.inc

    and  get  the  admin's  password.   Not  to  mention  they   could
    administer  the  database  from  the  web  w/o  ever  knowing  the
    password.

SOLUTION

    Secure the directory  through your web  server.  Yes  you won't be
    able to admin the database remotely  but no one else will be  able
    to either.  This is not widely used web tool, but none the less it
    is a problem.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH