this is not really a security issue! if you hung up your door key on the front porch it would be your fault if you get robbed, too.
it's the responsibility of the (cake) developer to turn debug of in production mode. non productive pages should be behind htaccess protection etc. simply write those developers (email can be obtained by domain usually) an email. this has nothing to do with cake itself - at least if debug is > 0 i did open a related ticket: http://cakephp.lighthouseapp.com/projects/42648/tickets/1780-proper-apperror-on-mysql-errors this would throw an app error right away in those situations instead of continuing with above warnings. On 20 Jun., 21:18, yoodey <[email protected]> wrote: > Hello all, > > I'm randomly browsing and get a website with Database error > connection. > It gave me error page : Warning (2): mysql_connect() [function.mysql- > connect]: Access denied for user ... > > So i click on Context option and got this information. > > $config = array( > "persistent" => false, > "host" => "xxxxxxxxxxxxxxxxxxx", > "login" => "dbxxxxx", > "password" => "dbtxxx", > "database" => "dbxxxxx", > "port" => "3306", > "driver" => "mysql", > "prefix" => "", > "encoding" => "UTF8" > ) > > To avoid other people doing bad thing, i'm not showing real error > information. > > I'm doing mysql command based on that information and guest what? I > got full access! > Curious with this error, i'm doing little research and found more than > 1000 website mysql root access. (there many others, but i too tired to > check it one by one ). > > This is very dangerous things which i'm big fans of CakePHP. I working > on 50K/day visitors website powered by CakePHP which i don't wanna > this thing happen to me. > > So, please tell me, which people in cakephp.org should be contacted > because this issue. Opening ticket will leaked real information for > the victim website. > > Thanks > > Yoodey -- Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions. To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/cake-php
