[imp] Fwd: Horde webmail: mysql access
Daniel Eckl
daniel.eckl at gmx.de
Tue Apr 27 09:51:15 PDT 2004
correct. The classical "RTFM" security hole.
Above that, the base statement is false (when it comes to horde cvs
HEAD). The default pass is "horde", not empty. :)
Greets,
Daniel
Zitat von Ramon Kagan <rkagan at yorku.ca>:
> Uhm, from the mysql create file:
>
> REPLACE INTO user (host, user, password)
> VALUES (
> 'localhost',
> 'horde',
> -- IMPORTANT: Change this password!
> PASSWORD('horde')
> );
>
>
> What part of "--IMPORTANT:..." don't they understand?
> Also, one should have better security for their mysql server:
> 1. Specify where horde can connect from in the mysql DB
> 2. TCP wrap the mysql network connection
> 3. Audit the logs for suspicious activity.
>
> The lack of security explained by this user is nothing more than ignorance
> and laziness. Nobody can take care of security for your machines for you.
> The onus is on yourself.
>
> Ramon Kagan
> York University, Computing and Network Services
> Unix Team - Senior Unix Systems Administrator
> (416)736-2100 #20263
> rkagan at yorku.ca
>
> ----------------------------------- ------------------------------------
> I have not failed. I have just I don't know the secret to success,
> found 10,000 ways that don't work. but the secret to failure is
> trying to please everybody.
> - Thomas Edison - Bill Cosby
> ----------------------------------- ------------------------------------
>
> On Tue, 27 Apr 2004, Curt LeCaptain wrote:
>
>> Thought you guys would be interested in seeing this, came from
>> bugtraq at securityfocus. From what I know, this's anything but the
>> truth.
>>
>> Curt L
>>
>> !DSPAM:408e7b94203211317119348!
>>
> --
> IMP mailing list - Join the hunt: http://horde.org/bounties/#imp
> Frequently Asked Questions: http://horde.org/faq/
> To unsubscribe, mail: imp-unsubscribe at lists.horde.org
More information about the imp
mailing list