Database security (or not)



  • So I just started a freelance project for some guy to make some changes to his site.. it's a super small script that doesn't require much work. In the email with all of the other details, he gave me a link to his phpmyadmin:

    http://www.example.com/php_myadmin/

     I clicked it just to have a browse, and was a bit surprised when the content showed up straight away. I figured that maybe I'd already saved the password so I closed the tab, cleared all my sessions, stored passwords, cookies, and cache, and reloaded the link.  To my surprise (and horror) the contents showed up straight away - this can't be right, thinks I, this database has names, addresses, phone numbers, and other personal data - surely it can't be accessible by anyone that types in a link. And this is a commerce site! It would be trivial to set up fake orders that looked as though they'd been approved, etc. So I booted up another computer and loaded the link there. Again, instantaneous access to all of his data. No restrictions - from my browser I was able to delete or modify his entire database if I chose. And if I wanted to edit his pages - well that would be as simple as editing a field in a table. 

     So I sent him off a quick email - "are you aware that your database is open to editing and deletion by anyone that feels like typing in that URL? - you really need to put a password on it at the least" - his reply? "Oh that's ok, I doubt anyone will guess the url anyway, and even if they did they probably wouldnt understand how to change the data" 

     



  • starts counting how long until someone posts the URL and drops the tables



  • @lolwtf said:

    starts counting how long until someone posts the URL and drops the tables

    Good luck finding this particular site. It's a very common mistake to leave PHPMyAdmin exposed to the outside world -- a Google search should bring up several thousand.



  •  Anyone seen this site?

    The most logical thing to do is to enter http://bronzecommnews.com/phpmyadmin but it is more user friendly to enter http://bronzecommnews.com/admin/login.php. I leave it up to you to find/create the username and password.



  • Send him this URL, and explain that google has a nasty way of going places you don't want it to

    And as proof that malicious people do go looking for these things, show him this



  • Well well well... the table has been dropped already.

     Table 'bronzecommnewscom.question' doesn't exist

     

    That's gotta be a new record or something. I mean, ok, those people are stupid and should be banned from using computers. But, dropping all tables with an url posted on this site? How pethatic is that.



  •  :/ Dropping tables is a bit lame. It's funny to look at them and scoff, but considering that the kind of person who leave his database wide open like that is also probably the kind of person who doesn't back up his databases, whoever did that has probably just gone and ruined their entire script... 



  •  Someone here deleted the entire database and the http://bronzecommnews.com/myphpadmin directory.

    I think someone found a manhole or some other hole. Please share :)



  • I managed to reconstruct the database. Finally! But the site cannot be accessed right now.



  • @Evo said:

    But, dropping all tables with an url posted on this site? How pethatic is that.

    It's not really his fault; Bobby Tables had a rough childhood.



  • @Faxmachinen said:

    @Evo said:

    But, dropping all tables with an url posted on this site? How pethatic is that.

    It's not really his fault; Bobby Tables had a rough childhood.

    Yipes, I got some weird error on sysadmin or some other table down. But has anyone actually tried the Survey? I found this question:

    1.  How do you lock php my admin?



  • I fix it, but now it looks someone delete it again. This time you have to fix it yourself otherwise I will sue you.



  • Why would anyone bother fixing this without first finding out how to secure the system? It's a complete exercise in futility.

    In fact, it would be a far better idea to take the system offline, and rebuild it from scratch - there's no telling how badly it's been compromised.

    These things should be set up offline, secured, and only after the security has been verified should they be allowed online. Nessus can be helpful in determining if it has been secured. (Note: nessus doesn't find every security hole; it just finds a lot of them.)



  • @zzo38 said:

    I fix it, but now it looks someone delete it again. This time you have to fix it yourself otherwise I will sue you.

    Dude, lock the phpadmin down! It seems that site is being the target of jackasses just smashing everything just to prove their "point". Whatever it is. Restore the database and change the admin password!!!

    Ok, it seems this is exactly the kind of thing addressed in some other thread about having databases with the default mysql "security": root with no password. Don't do it. Use passwords at the DB level. Don't just listen some "internet d00d" that says "you don't need DB security".

    Well... then again, that point also assumed you didn't have public access to the DB admin, so there may be a point to that.



  • @danixdefcon5 said:

    Ok, it seems this is exactly the kind of thing addressed in some other thread about having databases with the default mysql "security": root with no password. Don't do it. Use passwords at the DB level. Don't just listen some "internet d00d" that says "you don't need DB security".

    Well... then again, that point also assumed you didn't have public access to the DB admin, so there may be a point to that.

    Of course I understand that! But there are two problems:
    1. I don't know how to change the password.
    2. Even if I did know how, I still don't know that company's telephone number, so I couldn't tell them what I changed the password to.


  • @danixdefcon5 said:

    Ok, it seems this is exactly the kind of thing addressed in some other thread about having databases with the default mysql "security": root with no password. Don't do it. Use passwords at the DB level. Don't just listen some "internet d00d" that says "you don't need DB security".

    Well... then again, that point also assumed you didn't have public access to the DB admin, so there may be a point to that.

    That was me and you are a moron.  Having a password on the DB isn't going to help much if it allows root login -- someone will find a way in eventually.  I never said the DB should be open to the public Internet, that's just retarded. 



  • It's not on the internet, it's on localhost!



  •  @henke37 said:

    It's not on the internet, it's on localhost!

    $ nc www.example.com 80
    GET /phpmyadmin/ HTTP/1.1
    Host:localhost



  • @morbiuswilters said:

    Having a password on the DB isn't going to help much if it allows root login -- someone will find a way in eventually.  I never said the DB should be open to the public Internet, that's just retarded.

    But you can't assume the DB won't be open. Someone's bound to do something stupid as installing phpmyadmin on the public site (they did it at a former workplace) and having no passwords/IP restrictions will come to bite you eventually. In this case, however, it seems the site is on one of those "el cheapo" webhostings, so the public web interface might be their only DB admin access. So it isn't like they can just delete root@% like that.

    And did you even read that final part to the post?

    Well... then again, that point also assumed you didn't have public access to the DB admin, so there may be a point to that.

    Of course I understood in that previous discussion you refer to a DB with no public access. But things change, and sooner or later someone does a major WTF opening the DB to the internet. (I have a WTF worthy incident where this was one of the things done, against my advice.)

     



  • When I entered my current job, there was a mysql server with phpmyadmin on some server (gone by now). The procedure that the guy told me to access it is the following:

     vim /var/www/phpmyadmin/whatever.cfg

    remove the leading "!" from the "password" parameter

    Enter http://webserver/phpmyadmin and do your job quickly

    put the "!" back.

     



  • @danixdefcon5 said:

    Of course I understood in that previous discussion you refer to a DB with no public access. But things change, and sooner or later someone does a major WTF opening the DB to the internet.

    No security measures guard against this kind of thing.  Anyone who would put up phpmyadmin open the public Internet could just as easily open a million other holes.  This is just the most absurd, retarded thing ever. 



  • @morbiuswilters said:

    Anyone who would put up phpmyadmin open the public Internet could just as easily open a million other holes.

    I did find a SQL injection hole while trying to fix the database, and even after I fixed the database, the SQL injection hole is still there (it is a part of the PHP codes, not a part of the database), and obviously I do not own that web-site, so I cannot fix that hole. But it is irrelevant because the database access is not restricted anyways. Also, I don't know their telephone number, so I can't tell them to fix it either.



  • @zzo38 said:

    @morbiuswilters said:

    Anyone who would put up phpmyadmin open the public Internet could just as easily open a million other holes.

    I did find a SQL injection hole while trying to fix the database, and even after I fixed the database, the SQL injection hole is still there (it is a part of the PHP codes, not a part of the database), and obviously I do not own that web-site, so I cannot fix that hole. But it is irrelevant because the database access is not restricted anyways. Also, I don't know their telephone number, so I can't tell them to fix it either.

    Thank you, Tweaky McCrackhead. 



  • @zzo38 said:

    I do not own that web-site, so I cannot fix that hole
    Why would you even think about trying?  Let the owners know if it bugs you that much.



  • @Gnonthgol said:

     @henke37 said:

    It's not on the internet, it's on localhost!

    $ nc www.example.com 80
    GET /phpmyadmin/ HTTP/1.1
    Host:localhost

    You're right, using an apache virtual host to restrict access to the "localhost" name would be stupid.  However, server software can actually be "bound" to a specific IP (e.g. 127.0.0.1).  It will then only accept connections on that IP.  You can't spoof that.

    Memcached relies on this fact as its only security mechanism, to keep things fast and simple.




  • @merreborn said:

    Send him this URL, and explain that google has a nasty way of going places you don't want it to

    And as proof that malicious people do go looking for these things, show him this

    Using intitle:phpmyadmin instead of inurl:phpmyadmin is even better, because it finds more results and weeds out a few false positives (like source code repositories).

    mihi



  • @zzo38 said:

    Also, I don't know their telephone number, so I can't tell them to fix it either.
    Try webmaster@bronzecommnewscom.com

    Or any of the email addresses or, if you insist, phone numbers in their whois:

    http://www.whois.net/whois_new.cgi?d=bronzecommnews&tld=com  


Log in to reply
 

Looks like your connection to What the Daily WTF? was lost, please wait while we try to reconnect.