Re: Cryptocard database

From: Noel Rosenberg (noel@thesubnet.net)
Date: Fri Feb 18 2005 - 18:04:56 EST


On Wed, 16 Feb 2005, John Madden wrote:
| Doing an internal pen-test for a company i came across
| a mysql db that contains the Cryptocard tokens
| database (root with no password)

Not only should the mysql be secured, it shouldn't even be accessable from
off the machine that needs to query the database.

IIRC, cadmind actually wanted to talk via the network port only, so we
allow networking for mysql, then firewall off 3306 to only allow
connections from the local system.

-Noel

---Noel Rosenberg
---noel@thesubnet.net
---Sleep Vampire
---"One does not win a mud-slinging fest by getting into the mud;
--- The pigs have the home field advantage."



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:16 EDT