| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 26 Apr 2004 20:51:04 -0400
From: "Christopher T. Beers" <ctbeers@....edu>
To: sig@...ming.tolna.net, bugtraq@...urityfocus.com
Subject: Re: Horde webmail: mysql access
--On Sunday, April 25, 2004 11:11 PM +0200 sig@...ming.tolna.net wrote:
| Hello
| ....
| By default, You can access to these database servers, with the username:
| "horde" and with no password, from a remote host. Then you will have
| permission to list the databases, and to use some of them. In fact,
| "horde" and "test" databases are available for reading, and writing, in
| many cases.
|
| ....
If you read the horde_src/docs/INSTALL file there is a section when you
configure it that says
Be sure to change the default password, "horde", to something
else before creating the tables! (Remember to use this password
when you configure Horde in the next step.)
Also the script that creates the mysql database located at
horde_src/scripts/db/mysql_create.sql has the following items. Again a
warning about changing the password...
USE mysql;
REPLACE INTO user (host, user, password)
VALUES (
'localhost',
'horde',
-- IMPORTANT: Change this password!
PASSWORD('horde')
);
Obviously, this was overlooked in whatever installation you were looking
at. In fact, it looks like your administrator removed the default horde
password and replaced it with nothing...even worse than using the default
password.
--
Christopher T. Beers
UNIX Systems Engineer - Syracuse University
250 Machinery Hall Syracuse, NY 13244
(315) 443-4103 Office (315) 443-1621 Fax
Powered by blists - more mailing lists