Robin Johnson wrote:
Hi Guys,
And other nefarious things. I found a few sites where I could access their
entire database with full rights, even some where they have configured the
user to root and I could change the mysql database.
I know at least one distribution of Linux that installs MySQL with user
root and no password.
Let's add a red warning when we detect that they are using 'config' auth
mode, with a blank password, to try to educate the admin of this system.
This is what we need to do to fix it:
1. All served up pages should contain directives to instruct search robots
not to index the files. This will stop so many sites being listed in the
search engines.
2. We should deprecate the user/password standard login, or add a bit of
technology to it. We should throw up a login page of our own, that should
authenticate against a user/password pair in an array inside the
configuration file. It might be possible to keep the automatic login of
user/password, but it should not be enabled by default, for security.
And the configuration option to turn that unsecure method back on should
have huge warnings around it.
--
Marc Delisle