So, as some of you know, I'm working on my own PHPMyAdmin type of php script. While testing it, Reaverr stumbled upon a security hole in the MySQL server. To witness this hole, go to www.mouseisle.com/MyWebQL and use 'guest '(without the quotes of course) for both the username and password. This somehow gives an access form (not sure what the priveleges are) that allows a show database command to reveal all of the databases. It also seems to at least viewing access to the databases.

~Viz

We've been having alot of problems lately :/....

How did you stumble onto this exactly though? :S

I was having Reaverr test my script, using a database i'd setup for the purposes, but before I could get him the username and password, he tried guest and guest and got in. It was totally unintentional.

After further analysis, it seems the only thing this hole gives access to is basic information about the server, databases, no tables, status, processes, and the like, no passwords, no permissions information, still this information could be invaluable in cracking another security hole.

I have reported this to OpaQue, and he reported it to the techies in chare of the server (since it's a linux server and opaQue doesn't do linux) This weekend, if he's on, I'm going to try and work with him to identify the problem and resolve it if the tchies haven't already.

~Viz

Really weird, only guest,guest seems to work, but anything else won't.

Are you sure you didn't add some guest account or anything to your user-db? Or hardcoded anything about a guest account in your code?

I don't know if you've tried the system, yet, but when I say all the databases, I mean all of them. The restricted, ones, vujsas, yours, the works. And the word guest doesn't appear in my code at all. It's definitely a MySQL issue. There is somehow an account with those settings, pribably left from some debug operation, with root view database priveleges, but not other priveleges, some with root access could tell for sure and determine if it is a necessary sccount, or if it should be deleted.

~Viz

A critical vulnerability was found in some versions of Apple Computer's popular iTunes. This vulnerability could enable attackers to remotely take over a user's computer This vulnerability existed on the earlier version of iTunes 6. However, Itwas not fixd by the new ...more

The Internet arose out of the natural need of the worldwide to communicate, and has become the backbone of digital age. Now-a-days, the Net has reached to billions of individuals as against in the past when it was envisaged only for scientific community. A lot of business transactions take place onl ...more

Not sure how serious or relevant this is yet, as I just got told about it over the phone by my technically incompetent sister, but apparently there's something up with...you guessed it, Microsoft. Apparently Internet Explorer has some pretty heft security holes or somesuch. As I don't use IE ...more