Change your Afternic password

 This isn't really related to anything normally on my site, but if you're an Afternic customer, you should change your password as soon as possible. Before the website went down for a little while just now to a " / is Forbidden" message, I got the error message pasted at the bottom.  

For those of you who don't know what that gibberish means, there are a few things going on that tell me that their security is severely lacking.
 
First, they are connecting to their SQL server from their web site application as "admin." It could be a dummy account, but it could be their actual MySQL admin account. This is extremely bad practice. Any successful SQL Injection attack against their web server would be running SQL as the administrator account. 

Second, the admin password was in cleartext in the error message. I'm sure I'm not the only one who saw this. I've removed it from the paste, but the best I can figure their SQL Admin password is now out in the wild. You can't just get to their SQL server, as resolves to an internal IP, but a successful attack on their web server would give you access. Hopefully their downtime right now is a technical glitch, and they're not being attacked. 

Third, their PHP Configuration is set to show full errors out to remote users, which is what allowed me to see their admin password in the first place. This will let you see the next password if they change it to a more restricted user if they have the same problem.
I've emailed them, I'll update here if I get a response. 
 

Error: mysql_connect(): Can't connect to MySQL server on 'devandb1.buydomains.com' (110)
Code: 256 | Severity: 2 | File: /etc/helium/system/core/DB.php | Line: 108

#0 [internal function]: Helium\exception_error_handler(2, 'mysql_connect()...', '/etc/helium/sys...', 108, Array)
#1 /etc/helium/system/core/DB.php(108): mysql_connect('devandb1.buydom...', 'admin', 'THEIRSQLADMINPASSWORD!!!')#2 /etc/helium/system/core/DB.php(87): Helium\DB->bridge('devandb1.buydom...', 'admin', 'THEIRSQLADMINPASSWORD!!!')
#3 /etc/helium/system/core/DB.php(62): Helium\DB->point('master', false)
#4 /etc/helium/system/core/DB.php(19): Helium\DB->connect('master')
#5 /etc/helium/system/load.php(82): Helium\DB->__construct()
#6 /var/www/BuyDomains/html/index.php(23): require_once('/etc/helium/sys...')
#7 {main}

 

© 2003-2012 Mindtester.com