Re: Horde webmail: mysql access

• Previous message: Peter Pentchev: "Re: Apache - all versions vulnerability in OLD procesors."
• Maybe in reply to: sig_at_flaming.tolna.net: "Horde webmail: mysql access"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 26 Apr 2004 20:51:04 -0400
To: sig@flaming.tolna.net, bugtraq@securityfocus.com

--On Sunday, April 25, 2004 11:11 PM +0200 sig@flaming.tolna.net wrote:

| Hello
| ....
| By default, You can access to these database servers, with the username:
| "horde" and with no password, from a remote host. Then you will have
| permission to list the databases, and to use some of them. In fact,
| "horde" and "test" databases are available for reading, and writing, in
| many cases.
|
| ....

If you read the horde_src/docs/INSTALL file there is a section when you
configure it that says

   Be sure to change the default password, "horde", to something
   else before creating the tables! (Remember to use this password
   when you configure Horde in the next step.)

Also the script that creates the mysql database located at
horde_src/scripts/db/mysql_create.sql has the following items. Again a
warning about changing the password...

USE mysql;

REPLACE INTO user (host, user, password)
    VALUES (
        'localhost',
        'horde',
  -- IMPORTANT: Change this password!
        PASSWORD('horde')
    );

Obviously, this was overlooked in whatever installation you were looking
at. In fact, it looks like your administrator removed the default horde
password and replaced it with nothing...even worse than using the default
password.

-- 
Christopher T. Beers	
UNIX Systems Engineer - Syracuse University
250 Machinery Hall	Syracuse, NY 13244
(315) 443-4103 Office	(315) 443-1621 Fax

• Previous message: Peter Pentchev: "Re: Apache - all versions vulnerability in OLD procesors."
• Maybe in reply to: sig_at_flaming.tolna.net: "Horde webmail: mysql access"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]