Robin Johnson wrote:
Hi Guys,
And other nefarious things. I found a few sites where I could access their entire database with full rights, even some where they have configured the user to root and I could change the mysql database.
I know at least one distribution of Linux that installs MySQL with user root and no password.
Let's add a red warning when we detect that they are using 'config' auth mode, with a blank password, to try to educate the admin of this system.
This is what we need to do to fix it:
- All served up pages should contain directives to instruct search robots
not to index the files. This will stop so many sites being listed in the search engines.
- We should deprecate the user/password standard login, or add a bit of
technology to it. We should throw up a login page of our own, that should authenticate against a user/password pair in an array inside the configuration file. It might be possible to keep the automatic login of user/password, but it should not be enabled by default, for security. And the configuration option to turn that unsecure method back on should have huge warnings around it.