Robin Johnson wrote:
Hi Guys,
And other nefarious things. I found a few sites where I could access their entire database with full rights, even some where they have configured the user to root and I could change the mysql database.
I know at least one distribution of Linux that installs MySQL with user root and no password. Let's add a red warning when we detect that they are using 'config' auth mode, with a blank password, to try to educate the admin of this system.
This is what we need to do to fix it: 1. All served up pages should contain directives to instruct search robots not to index the files. This will stop so many sites being listed in the search engines.
2. We should deprecate the user/password standard login, or add a bit of technology to it. We should throw up a login page of our own, that should authenticate against a user/password pair in an array inside the configuration file. It might be possible to keep the automatic login of user/password, but it should not be enabled by default, for security. And the configuration option to turn that unsecure method back on should have huge warnings around it.
-- Marc Delisle