Project

General

Profile

Actions

Feature #14682

closed

[FR] mysql access using "root" w/o password warning?

Added by old_mshigorin over 19 years ago. Updated over 18 years ago.

Status:
Closed
Priority:
Should have
Category:
-
Target version:
-
Start date:
2005-04-18
Due date:
% Done:

0%

Estimated time:
PHP Version:
Tags:
Complexity:
Sprint Focus:

Description

It would be great to add check/warning for the case which is quite popular as quick-and-dirty (and all of us know there's nothing more persistent than temporary): access to MySQL DB with "root" user and empty password.

Of course if someone implements this for 3.8.0, would be great to increase overall security of TYPO3 installations based on that but of course OK to just postpone the bugreport.

Inspired by the addition of the second check here:

---
Security warning:
- The password of your Install Tool is still using the default value "joh316"
- The backend user "admin" with password "password" is still existing

It is highly recommended that you change this immediately.
---

:-)
(issue imported from #M991)


Related issues 1 (0 open1 closed)

Related to TYPO3 Core - Feature #14711: Issue a warning when a BE user has a weak password (e.g. the same as the username)Closed2005-04-29

Actions
Actions #1

Updated by Michael Stucki over 19 years ago

The checks in the backend should only cover very important and very TYPO3 related security checks.

But there could be hundreds of such checks:
- Check if there's still enough disk space
- Check if the Kernel/Apache/MySQL/PHP version is outdated
- etc.

What I suggest is to write an extension for this, providing a way for extensions to register their own security checks.

Actions #2

Updated by old_mshigorin over 19 years ago

Well that's why I've proposed that -- because it was kind of "assumed" setup (with more clear instructions to configure DB access properly discussed on lists).

I'd rather add permissions check ("chmod -R 777" is proposed in README as a last-resort).

Disk space, versions, mod_php vs php+suexec are clearly outside of TYPO3's scope. These two are bordering it although -- but you're welcome to close the bug as invalid or to postpone it until someone comes with code.

Actions #3

Updated by Karsten Dambekalns over 19 years ago

I wouldn't add this warning. The warnings in the BE are about default settings of TYPO3, those that everyone knows and can exploit easily.

Even if root access without password was granted to the database, the database could have networking disabled completely, using sockets - then the warning is - well - half-baked, somehow.

Let's stick to clearly TYPO3-inherent warnings here...

Actions #4

Updated by old_mshigorin over 19 years ago

Errr... on my servers MySQL isn't listening to the network by default (we're running ALT Linux), so I've filed the bugreport exactly for the "half-baked" situation. Allowing remote access to MySQL with its default privilege setup didn't come as a darkest nightmare :-)

But still, I have no code so I have no vote.

Actions #5

Updated by Michael Stucki over 19 years ago

Please allow me to close that request as it is not going to be changed for the reasons mentioned by Karsten and me.

Actions

Also available in: Atom PDF