MySQL security loophole with server,database and user name exposed
I have the following situation: Ona score of weakly secured machines a business critical application is installed. The application uses a MySQL 4 database where all the business critical data are stored.
Each application installation has a configuration file stored in ascii format which can be read and written by anyone who has access to the computer in questions.
The following information is exposed:
Server Name
Database Name
User Name
My Question is this:
- How much damage, or how big a security loophole, is this for a dedicated attacker?
- How much damage, or how big a security loophole, is this for a mid experienced attacker?
- What types of attacks the database is susceptible to?
Solution 1:
Each application installation has a configuration file stored in ascii format which can be read and written by anyone who has access to the computer
Well, don't do that then. Change the permissions on the file in question so that only those users who need to be able to read it can do so.
Solution 2:
... a score of weakly secured machines ...
So make them more secure.
"Business critical" and "weakly secured" do not play well together.
The application uses a MySQL 4 database ...
[The last "flavour" of] MySQL 4 was released in 2004 - that's 17 years (a.k.a "an Eternity") ago.
That DBMS version is obsolete and unsupported.
Whilst this isn't your biggest or most immediate problem, if that database were to break, you'd basically be on your own.
... configuration file ... can be read and written by anyone who has access to the computer
- Tighten up the file system security on that file so that only [the account running] the application process can access the file.
- Investigate [better] alternative ways of storing this information.
- Tighten up access control to the computers themselves.
I get the impression that lots of people can log onto them and that's probably not a Good Idea.