[16097] in bugtraq
PCCS MySQL DB Admin Tool v1.2.3- Advisory
daemon@ATHENA.MIT.EDU (Steven Vittitoe)
Mon Aug 7 03:32:29 2000
Message-Id: <20000804202047.11107.qmail@securityfocus.com>
Date: Fri, 4 Aug 2000 20:20:47 -0000
Reply-To: bool@GTE.NET
From: Steven Vittitoe <bool@GTE.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
This advisory highlights a weakness in the file structure
of the <a href="http://PCCS-Linux.COM/PCCS">PCCS MySQL
Database Admin Tool</a>. This web application can expose a
mySQL administrator�s password.
Problem:
The default install requires you to use a directory that is
web accessible. Under that directory there is a directory
called incs. This directory contains a file called
dbconnect.inc. This file stores common functions, host
names, and plain text administrator password. The one good
point is that you are required to manually enter the
password in this directory. But never underestimate the
power of idiots. So, in short anyone could go to
http://your_site.com/pccsmysqladm/incs/dbconnect.inc and
get the admin�s password. Not to mention they could
administer the database from the web w/o ever knowing the
password.
Solution:
Secure the directory through your web server. Yes you
won�t be able to admin the database remotely but no one
else will be able to either.
I don�t believe this is a widely used web tool, but none
the less it is a problem.
