Google Web Service Vulnerability leaks Database Username and Password
A vulnerability in google has been released on http://www.0x000000.com/index.php.
"A large hole has been found inside Google's service: "the removal of websites tool" Earlofgrey reported about it today. There was not much info available, so I decided to check it out myself before it is plugged. Apparently it is a simple directory that wasn't protected, so we can traverse up their directory root and browse folders. A study gave me the impression this hole is unique, legit and not a honey pot. Now it can happen the best of the best that a directory becomes readable. But, one must never, ever, not in a million years, store your database connection info in a folder that can be viewed remotely. Like the www folder."
Quoting the author
"I found the following information in the folders:
# Database stuff
DBDriver = org.gjt.mm.mysql.Driver
DBUrl = jdbc:mysql://localhost/dbRemoveUrl
DBLogin = root
# put password in before the push
DBPassword = k00k00 "
If this is true today is going to suck for someone...
Comments
All Comments are Moderated and will be delayed!
Post a comment