![[LWN Logo]](/images/lcorner.png)
![[Timeline]](/images/Included.png)
|
|
|
|
Date: Fri, 4 Aug 2000 20:20:47 -0000 From: Steven Vittitoe <bool@GTE.NET> Subject: PCCS MySQL DB Admin Tool v1.2.3- Advisory To: BUGTRAQ@SECURITYFOCUS.COM This advisory highlights a weakness in the file structure of the <a href="http://PCCS-Linux.COM/PCCS">PCCS MySQL Database Admin Tool</a>. This web application can expose a mySQL administrator’s password. Problem: The default install requires you to use a directory that is web accessible. Under that directory there is a directory called incs. This directory contains a file called dbconnect.inc. This file stores common functions, host names, and plain text administrator password. The one good point is that you are required to manually enter the password in this directory. But never underestimate the power of idiots. So, in short anyone could go to http://your_site.com/pccsmysqladm/incs/dbconnect.inc and get the admin’s password. Not to mention they could administer the database from the web w/o ever knowing the password. Solution: Secure the directory through your web server. Yes you won’t be able to admin the database remotely but no one else will be able to either. I don’t believe this is a widely used web tool, but none the less it is a problem.