1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

Security Alert!

Discussion in 'Plesk for Linux - 8.x and Older' started by agbate, Apr 9, 2006.

  1. agbate

    agbate Guest

    I just noticed this problem today when I was running into an issue with horde not finding the database properly.

    It appears that the log file, /var/log/psa-horde.log is owned by apache and not root.

    Personally, I find this quite scary considering that log lines such as this are present:

    DB Error: extension not found: mysql, , /var/lib/mysql/mysql.sock, unix, localhost, horde, horde, XXXXXXXX, utf8, horde, horde.perms, horde_datatree, horde_datatree_attributes

    Where XXXXXXXX is the database password, which if it wasn't changed for user 'horde' is also the password of the admin login for mysql.

    Considering the number of phpbb/nuke/mambo exploits that allow users to gain access to user apache, this issue concerns me.

    I just thought I'd share this with everyone incase no one noticed. Just another reason to make sure all your scripts are up to date.