• TruePony (unregistered)

    Obviously TRWTF is the contractor didn’t add that URL to the website’s robots.txt to let all the bad people know that visiting that page was not allowed

  • Robin (unregistered)

    I don't understand the last bit - PhPMyAdmin is third party software and I've never seen it without a login screen. Did our hero somehow hack around that to remove the login page?

    Although I feel a more characteristic conclusion would have been that there is a login page, but the username is "admin" with password "password". And the password would either be hardcoded in the source code, or stored in plaintext in the database. Or probably both.

  • Robin (unregistered)

    And aside from the gaping security holes, there's a coding curiosity which isn't mentioned in the commentary. It appears you need to set these query parameters to special "magic" values ("NoLoc" etc) to turn off that part of the search. Is simply omitting a query parameter not something that's done by this contractor?

  • Brian Boorman (unregistered) in reply to Robin

    phpMyAdmin has a config file that can be setup with the DB credentials embedded and can be configured so as to not require a login (at least in older versions - I haven't used it in a while). In fact in the really old versions you controlled access to it via a .htaccess file.

  • (nodebb) in reply to Robin

    I'm not a PHP person, but apparently PhPMyAdmin allows (or if not currently, then allowed at one time) login credentials to be put in a plain-text config file, as a convenience while developing on your local machine. Of course, that configuration should never make it into an actual dev environment, much less production. And the environments should have different credentials, so the information in the config shouldn't work even if it did make it past the developer's local machine. But who's taking bets on whether there was ever any non-production environment to begin with?

  • LCrawford (unregistered)

    The PhPMyAdmin curiosity is just as likely a leftover shell that had been used to plant malware of phishing pages on the site and never cleaned up.

  • (nodebb)

    How do we know that a given room did not fit into multiple "type_id??" categories and that the user could old search for 1....

  • Naomi (unregistered) in reply to TheCPUWizard

    Graeme, I imagine.

  • I Read The Comments (unregistered) in reply to Robin

    "without a login screen", it says: "no password or other inconvenience required." The default in PHPMyAdmin is User "root" and password "", so.... no password needed, it's a blank password. It was never said no login screen.

  • Strong Steroids (unregistered)
    Comment held for moderation.

Leave a comment on “Contractor's Leftovers”

Log In or post as a guest

Replying to comment #535813:

« Return to Article