Gordon Burditt [mailto:[EMAIL PROTECTED]] wrote: > > There's a problem here: you need to have whatever > information is needed to access MySQL (or any other database) > in those files. If someone else on the same machine can get > that information, he can also access the database. It > doesn't matter if this information is encrypted for > transmission - every client knows how to do that. [clip]
Thanks for the detailed explanation of where the holes lie and why mySQL can't see anything other than what the client provides. I understand now where the holes are, but it would certainly be a project worth tackling if the result were a secure database connection from what is inherently an insecure shared server environment. As I continue to look around, the results are truly frightening. I've let dozens of people on two servers I use know that I can read their config files. This, without more than 20 minutes of playing with a PHP script. I know these people, and asked them before I probed their directories. One of the servers has a significant number of shopping cart accounts on it - the specialty of the hosting vendor. In this particular shopping cart application, many orders in the database store a plain text credit card number until the order is picked up by the merchant. I think I'll write an article detailing the problem. I won't pick on mySQL - it's certainly not a problem only with mySQL, but with any information stored in configuration files. More people should understand the risks here - certainly more people should pressure their hosting companies for more secure configurations. -t --------------------------------------------------------------------- Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail <[EMAIL PROTECTED]> To unsubscribe, e-mail <[EMAIL PROTECTED]> Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
