How are exposed db credentials misused?

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
matthijs
DevNet Master
Posts: 3360
Joined: Thu Oct 06, 2005 3:57 pm

How are exposed db credentials misused?

Post by matthijs »

Ok, this is probably a silly question. But still something I was wondering about. I've read everything about how sql injection can happen and what to do to prevent it, I know about the dangers and difficulties of storing db credentials.

But, in general terms, what if someone gets your db login and password. Say by a (temporarily) mis configured web server showing the php code in plain text? Would a potential hacker use telnet or something?

I know it's not allowed to show code to exploit on this forum, but a general explanation would be fine.

(and the reason I ask is because I stumbled upon some source code of a website with it's db credentials in plain text. I think due to misconfigured server or error in the code. I will contact the owner to warn him. I could probably try and figure something out myself, but obviously I don't want to do that for legal reasons ;) )
able
Forum Newbie
Posts: 4
Joined: Sun Mar 02, 2008 9:53 pm

Re: How are exposed db credentials misused?

Post by able »

Easiest solution is to store the file with the credentials outside of the document root so it can't be displayed.

If they were displayed, the person could try and connect to the database directly. This is where basic db security comes in, limit connections allowed from different networks. Don't allow anyone to connect, if you need remote connections - tie it to specific peoples IP's.
User avatar
Zoxive
Forum Regular
Posts: 974
Joined: Fri Apr 01, 2005 4:37 pm
Location: Bay City, Michigan

Re: How are exposed db credentials misused?

Post by Zoxive »

By default MySql has remote connections off.

The next downfall would be if you had a program like phpmyadmin running on the server.
matthijs
DevNet Master
Posts: 3360
Joined: Thu Oct 06, 2005 3:57 pm

Re: How are exposed db credentials misused?

Post by matthijs »

By default MySql has remote connections off.
Ok, good to know.
The next downfall would be if you had a program like phpmyadmin running on the server.
yes, indeed, many hosts have that running. One thing I also often see is that the login to access phpmyadmin is the same as the db credentials.

In this case I don't know if this person has phpmyadmin running, but I guess it wouldn't be too difficult to find out.
User avatar
Zoxive
Forum Regular
Posts: 974
Joined: Fri Apr 01, 2005 4:37 pm
Location: Bay City, Michigan

Re: How are exposed db credentials misused?

Post by Zoxive »

matthijs wrote:One thing I also often see is that the login to access phpmyadmin is the same as the db credentials.
That is just what it is.
Post Reply