[Bug 917] New - MySQL Database user incorrectly created

bugs@bugs.horde.org bugs@bugs.horde.org
Mon, 25 Mar 2002 13:20:58 -0400

Previous message: [Bug 916] Changed - Path disclosure and potential CSS in IMP 2.2.7
Next message: [Bug 917] Changed - MySQL Database user incorrectly created
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

http://bugs.horde.org/show_bug.cgi?id=917

*** shadow/917	Mon Mar 25 13:20:58 2002
--- shadow/917.tmp.1467	Mon Mar 25 13:20:58 2002
***************
*** 0 ****
--- 1,30 ----
+ Bug#: 917
+ Product: Horde
+ Version: 2.0 Stable
+ Platform: other
+ OS/Version: Linux
+ Status: NEW   
+ Resolution: 
+ Severity: major
+ Priority: P2
+ Component: Core
+ Area: BUILD
+ AssignedTo: chuck@horde.org                            
+ ReportedBy: nick@regiocom.net               
+ URL: 
+ Summary: MySQL Database user incorrectly created
+ 
+ When using the MySQL script to create the database 
+ (horde/scripts/db/mysql_create.sql) the user horde@localhost is correctly 
+ created in mysql.user.  However, on from there commands used such as:
+   GRANT SELECT, INSERT, UPDATE, DELETE ON horde_users TO horde;
+ do not specify the EXACT user horde@localhost and therefore use whatever the 
+ database default host was when installed.  This, in the default case, sets no 
+ permission on horde@localhost (at this stage) but instead creates a new user 
+ horde@% with the permissions and no password set.  Therefore anyone can now 
+ access the horde tables from anywhere and do whatever they please.
+ 
+ The mysql_create script should use fully qualified usernames to prevent this 
+ from happening.
+ 
+ Nick

Previous message: [Bug 916] Changed - Path disclosure and potential CSS in IMP 2.2.7
Next message: [Bug 917] Changed - MySQL Database user incorrectly created
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]