Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Cryptocard database

From: Noel Rosenberg <noel () thesubnet net>
Date: Fri, 18 Feb 2005 18:04:56 -0500 (EST)
On Wed, 16 Feb 2005, John Madden wrote:
| Doing an internal pen-test for a company i came across
| a mysql db that contains the Cryptocard tokens
| database (root with no password) 

Not only should the mysql be secured, it shouldn't even be accessable from 
off the machine that needs to query the database.

IIRC, cadmind actually wanted to talk via the network port only, so we 
allow networking for mysql, then firewall off 3306 to only allow 
connections from the local system.

-Noel

---Noel Rosenberg
---noel () thesubnet net
---Sleep Vampire
---"One does not win a mud-slinging fest by getting into the mud;
---    The pigs have the home field advantage."
Previous By Date Next
Previous By Thread Next

Current thread: