[imp] Fwd: Horde webmail: mysql access

Daniel Eckl daniel.eckl at gmx.de
Tue Apr 27 09:51:15 PDT 2004


correct. The classical "RTFM" security hole.

Above that, the base statement is false (when it comes to horde cvs
HEAD). The default pass is "horde", not empty. :)

Greets,
Daniel

Zitat von Ramon Kagan <rkagan at yorku.ca>:

> Uhm, from the mysql create file:
>
> REPLACE INTO user (host, user, password)
>     VALUES (
>         'localhost',
>         'horde',
>   -- IMPORTANT: Change this password!
>         PASSWORD('horde')
>     );
>
>
> What part of "--IMPORTANT:..." don't they understand?
> Also, one should have better security for their mysql server:
> 	1.  Specify where horde can connect from in the mysql DB
> 	2.  TCP wrap the mysql network connection
> 	3.  Audit the logs for suspicious activity.
>
> The lack of security explained by this user is nothing more than ignorance
> and laziness.  Nobody can take care of security for your machines for you.
> The onus is on yourself.
>
> Ramon Kagan
> York University, Computing and Network Services
> Unix Team -  Senior Unix Systems Administrator
> (416)736-2100 #20263
> rkagan at yorku.ca
>
> -----------------------------------   ------------------------------------
> I have not failed.  I have just	       I don't know the secret to success,
> found 10,000 ways that don't work.     but the secret to failure is
> 				       trying to please everybody.
> 	- Thomas Edison				- Bill Cosby
> -----------------------------------   ------------------------------------
>
> On Tue, 27 Apr 2004, Curt LeCaptain wrote:
>
>> Thought you guys would be interested in seeing this, came from
>> bugtraq at securityfocus.  From what I know, this's anything but the
>> truth.
>>
>> Curt L
>>
>> !DSPAM:408e7b94203211317119348!
>>
> --
> IMP mailing list - Join the hunt: http://horde.org/bounties/#imp
> Frequently Asked Questions: http://horde.org/faq/
> To unsubscribe, mail: imp-unsubscribe at lists.horde.org




More information about the imp mailing list