| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20040425211127.GB885@c3.hu> Date: Sun, 25 Apr 2004 23:11:27 +0200 From: sig@...ming.tolna.net To: bugtraq@...urityfocus.com Subject: Horde webmail: mysql access Hello I've found a very interesting feature in Horde webmail system... Horde is a very popular PHP based webmail system, with many accessories. Most of these web applications (for example: turba, mnemo, etc) are using mysql database server, to store e-mail addresses, user memos, informations about users, sometimes passwords etc. By default, You can access to these database servers, with the username: "horde" and with no password, from a remote host. Then you will have permission to list the databases, and to use some of them. In fact, "horde" and "test" databases are available for reading, and writing, in many cases. I think it is dangerous; There are many open-wide database servers around the world -> everybody can use them for their own purposes. (Horde users personal memos, address lists, and (sometimes their) passwords are also accessible) This is not a bug, this is a feature. (?) Problem can be solved using a configured firewall, or an ACL, or just deny the connections from outside and allow only localhost for mysqld. ps: i think, unwanted connections from the internet can cause Denial of Service attacks; too many db queries, or storing long size datas can be dangerous ... what do you think about it? sigterm <sigterm@...hu> <sig@...ming.tolna.net>
Powered by blists - more mailing lists