[dev] Fwd: Horde webmail: mysql access

[Eric Rostetter]

FYI

----- Forwarded message from sig at flaming.tolna.net -----
    Date: Sun, 25 Apr 2004 23:11:27 +0200
    From: sig at flaming.tolna.net
Reply-To: sig at flaming.tolna.net
 Subject: Horde webmail: mysql access
      To: bugtraq at securityfocus.com

Hello

I've found a very interesting feature in Horde webmail system...

Horde is a very popular PHP based webmail system, with many accessories. Most of
these web applications (for example: turba, mnemo, etc) are using mysql
database server, to store e-mail addresses, user memos, informations about
users, sometimes passwords etc.

By default, You can access to these database servers, with the username: "horde"
and with no password, from a remote host.
Then you will have permission to list the databases, and to use some of them. In
fact, "horde" and "test" databases are available for reading, and
writing, in many cases.

I think it is dangerous; There are many open-wide database servers around the
world -> everybody can use them for their own purposes.
(Horde users personal memos, address lists, and (sometimes their) passwords are
also accessible)

This is not a bug, this is a feature. (?)
Problem can be solved using a configured firewall, or an ACL, or just deny the
connections from outside and allow only localhost for mysqld.

ps: i think, unwanted connections from the internet can cause Denial of Service
attacks; too many db queries, or storing long size datas can be
dangerous ...
what do you think about it?


sigterm <sigterm at c3.hu>
	<sig at flaming.tolna.net>

----- End forwarded message -----


--
Eric Rostetter
The Department of Physics
The University of Texas at Austin

Why get even? Get odd!