Page 1 of 1

How are exposed db credentials misused?

Posted: Tue Mar 04, 2008 4:52 am
by matthijs
Ok, this is probably a silly question. But still something I was wondering about. I've read everything about how sql injection can happen and what to do to prevent it, I know about the dangers and difficulties of storing db credentials.

But, in general terms, what if someone gets your db login and password. Say by a (temporarily) mis configured web server showing the php code in plain text? Would a potential hacker use telnet or something?

I know it's not allowed to show code to exploit on this forum, but a general explanation would be fine.

(and the reason I ask is because I stumbled upon some source code of a website with it's db credentials in plain text. I think due to misconfigured server or error in the code. I will contact the owner to warn him. I could probably try and figure something out myself, but obviously I don't want to do that for legal reasons ;) )

Re: How are exposed db credentials misused?

Posted: Tue Mar 04, 2008 8:12 am
by able
Easiest solution is to store the file with the credentials outside of the document root so it can't be displayed.

If they were displayed, the person could try and connect to the database directly. This is where basic db security comes in, limit connections allowed from different networks. Don't allow anyone to connect, if you need remote connections - tie it to specific peoples IP's.

Re: How are exposed db credentials misused?

Posted: Tue Mar 04, 2008 8:24 am
by Zoxive
By default MySql has remote connections off.

The next downfall would be if you had a program like phpmyadmin running on the server.

Re: How are exposed db credentials misused?

Posted: Tue Mar 04, 2008 8:44 am
by matthijs
By default MySql has remote connections off.
Ok, good to know.
The next downfall would be if you had a program like phpmyadmin running on the server.
yes, indeed, many hosts have that running. One thing I also often see is that the login to access phpmyadmin is the same as the db credentials.

In this case I don't know if this person has phpmyadmin running, but I guess it wouldn't be too difficult to find out.

Re: How are exposed db credentials misused?

Posted: Tue Mar 04, 2008 8:53 am
by Zoxive
matthijs wrote:One thing I also often see is that the login to access phpmyadmin is the same as the db credentials.
That is just what it is.