Gossamer Forum
Home : Products : Gossamer Forum : Discussion :

How to stop security breach ?

Quote Reply
How to stop security breach ?
Possibly a MySQL issue than a GF one, but I'll ask here in case I'm wrong or in case someone knows the answer.
If I log into my forums as Admin (i.e run admin.cgi), I have a tools menu option. Off that I can run MySqlMan. If I do that then I can sucessfully access all the tables in the forum. All well and good. If however I click on the MySql hot link at the top of the page, I then have full access to all databases and tables on the MySQL server, whether they're anything to do with GF or not.
How can I change this so that MySqlMan when launched from GF only has access to the GF tables ?
Quote Reply
Re: [davidnavigator] How to stop security breach ? In reply to
I believe you have to limit the databases to a specific user.

Are you logging into the DB with "root" ? If so, I'd suggest using a lower level user (just in case of a security breach, as this has the potential for a hacker to delete ALL your data from every database!).

Good luck with getting it working :) (sorry I can't be of much more help, but thats about my limit of knowledge in these kind of matters <G>).

Cheers

Andy (mod)
andy@ultranerds.co.uk
Want to give me something back for my help? Please see my Amazon Wish List
GLinks ULTRA Package | GLinks ULTRA Package PRO
Links SQL Plugins | Website Design and SEO | UltraNerds | ULTRAGLobals Plugin | Pre-Made Template Sets | FREE GLinks Plugins!
Quote Reply
Re: [davidnavigator] How to stop security breach ? In reply to
Hi,

This is indeed a MySQL configuration issue. MySQLMan will show you whatever you have access to.

To fix, you should reset up the permissions that the Gossamer Forum user connects with. It should be something like:

grant all on gforum.* to gforumuser@localhost identified by 'gforumpass';

That should give user 'gforumuser' only access to the gforum database.

Cheers,

Alex
--
Gossamer Threads Inc.
Quote Reply
Re: [Alex] How to stop security breach ? In reply to
Many thanks. It looks like this was of my own doing. It seems that when I first installed GT as a trial I used the main admin MySQL account :(
I'll change it to a GT specific one.