Feature #14682
closed
[FR] mysql access using "root" w/o password warning?
Added by old_mshigorin about 19 years ago.
Updated over 17 years ago.
Description
It would be great to add check/warning for the case which is quite popular as quick-and-dirty (and all of us know there's nothing more persistent than temporary): access to MySQL DB with "root" user and empty password.
Of course if someone implements this for 3.8.0, would be great to increase overall security of TYPO3 installations based on that but of course OK to just postpone the bugreport.
Inspired by the addition of the second check here:
---
Security warning:
- The password of your Install Tool is still using the default value "joh316"
- The backend user "admin" with password "password" is still existing
It is highly recommended that you change this immediately.
---
:-)
(issue imported from #M991)
The checks in the backend should only cover very important and very TYPO3 related security checks.
But there could be hundreds of such checks:
- Check if there's still enough disk space
- Check if the Kernel/Apache/MySQL/PHP version is outdated
- etc.
What I suggest is to write an extension for this, providing a way for extensions to register their own security checks.
Well that's why I've proposed that -- because it was kind of "assumed" setup (with more clear instructions to configure DB access properly discussed on lists).
I'd rather add permissions check ("chmod -R 777" is proposed in README as a last-resort).
Disk space, versions, mod_php vs php+suexec are clearly outside of TYPO3's scope. These two are bordering it although -- but you're welcome to close the bug as invalid or to postpone it until someone comes with code.
I wouldn't add this warning. The warnings in the BE are about default settings of TYPO3, those that everyone knows and can exploit easily.
Even if root access without password was granted to the database, the database could have networking disabled completely, using sockets - then the warning is - well - half-baked, somehow.
Let's stick to clearly TYPO3-inherent warnings here...
Errr... on my servers MySQL isn't listening to the network by default (we're running ALT Linux), so I've filed the bugreport exactly for the "half-baked" situation. Allowing remote access to MySQL with its default privilege setup didn't come as a darkest nightmare :-)
But still, I have no code so I have no vote.
Please allow me to close that request as it is not going to be changed for the reasons mentioned by Karsten and me.
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by