OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: PCCS MySQL DB Admin Tool v1.2.3- Advisory
From: Steven Vittitoe (boolGTE.NET)
Date: Fri Aug 04 2000 - 15:20:47 CDT


This advisory highlights a weakness in the file structure
of the <a href="http://PCCS-Linux.COM/PCCS">PCCS MySQL
Database Admin Tool</a>. This web application can expose a
mySQL administratorís password.

Problem:
The default install requires you to use a directory that is
web accessible. Under that directory there is a directory
called incs. This directory contains a file called
dbconnect.inc. This file stores common functions, host
names, and plain text administrator password. The one good
point is that you are required to manually enter the
password in this directory. But never underestimate the
power of idiots. So, in short anyone could go to
http://your_site.com/pccsmysqladm/incs/dbconnect.inc and
get the adminís password. Not to mention they could
administer the database from the web w/o ever knowing the
password.

Solution:
Secure the directory through your web server. Yes you
wonít be able to admin the database remotely but no one
else will be able to either.

I donít believe this is a widely used web tool, but none
the less it is a problem.