[34696] in bugtraq
Re: Horde webmail: mysql access
daemon@ATHENA.MIT.EDU (Christopher T. Beers)
Wed Apr 28 12:31:24 2004
Date: Mon, 26 Apr 2004 20:51:04 -0400
From: "Christopher T. Beers" <ctbeers@syr.edu>
To: sig@flaming.tolna.net, bugtraq@securityfocus.com
Message-ID: <D0D234732022AC71D9D58069@[192.168.1.100]>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
--On Sunday, April 25, 2004 11:11 PM +0200 sig@flaming.tolna.net wrote:
| Hello
| ....
| By default, You can access to these database servers, with the username:
| "horde" and with no password, from a remote host. Then you will have
| permission to list the databases, and to use some of them. In fact,
| "horde" and "test" databases are available for reading, and writing, in
| many cases.
|
| ....
If you read the horde_src/docs/INSTALL file there is a section when you
configure it that says
Be sure to change the default password, "horde", to something
else before creating the tables! (Remember to use this password
when you configure Horde in the next step.)
Also the script that creates the mysql database located at
horde_src/scripts/db/mysql_create.sql has the following items. Again a
warning about changing the password...
USE mysql;
REPLACE INTO user (host, user, password)
VALUES (
'localhost',
'horde',
-- IMPORTANT: Change this password!
PASSWORD('horde')
);
Obviously, this was overlooked in whatever installation you were looking
at. In fact, it looks like your administrator removed the default horde
password and replaced it with nothing...even worse than using the default
password.
--
Christopher T. Beers
UNIX Systems Engineer - Syracuse University
250 Machinery Hall Syracuse, NY 13244
(315) 443-4103 Office (315) 443-1621 Fax
