Hi Ian et al,
Thanks for the heads up on this one, it's now been fixed. The password in
the compromised document was an old one, and no current systems are using
that password so I think we are OK now.
The problem was that the DB include file was in a publicly accessible
directory on the webserver, and whereas the php file itself could not be
viewed, the gridsite history files that were created when editing could. I
have removed all history files and transferred the include file(s) to a
secured directory on the server.
Matt.
-----Original Message-----
From: LHC Computer Grid - Rollout [mailto:[log in to unmask]] On
Behalf Of Ian Neilson
Sent: 06 August 2004 12:29 PM
To: [log in to unmask]
Subject: [LCG-ROLLOUT] FW: mysql inc file db totally visible on web
Somebody somewhere might want to know about this. Can we find out who and
what the implications are please?
Thanks,
Ian
| Ian Neilson
| LCG Deployment Group
-----Original Message-----
From: [log in to unmask]
[mailto:[log in to unmask]] On Behalf Of
Dungeon01
Sent: 06 August 2004 12:14
To: project-lcg-security-officer (Generic contact address for LCG Security
Officer)
Subject: mysql inc file db totally visible on web
hi there, this is only to advise u that your stdvars.inc file is visible ,
with all your ip a db data: eg:
$dbhost = 'localhost';
$dbusername = 'root';
$dbuserpassword = '********';
$default_dbname = 'goc_3';
$MYSQL_ERRNO = '';
$MYSQL_ERROR = '';
hope u'll fix it if is an error, otherwise have a nice day
--
Email.it, the professional e-mail, gratis per te: http://www.email.it/f
Sponsor:
Preparati alla prova costume con il nuovo sistema di America Diet System è
facile e naturale! Clicca qui:
http://adv.email.it/cgi-bin/foclick.cgi?mid=2630&d=20040806
|