« Firefox 0day local file reading | Main | Phrack is back! »

Google Web Service Vulnerability leaks Database Username and Password

A vulnerability in google has been released on http://www.0x000000.com/index.php.

"A large hole has been found inside Google's service: "the removal of websites tool" Earlofgrey reported about it today. There was not much info available, so I decided to check it out myself before it is plugged. Apparently it is a simple directory that wasn't protected, so we can traverse up their directory root and browse folders. A study gave me the impression this hole is unique, legit and not a honey pot. Now it can happen the best of the best that a directory becomes readable. But, one must never, ever, not in a million years, store your database connection info in a folder that can be viewed remotely. Like the www folder."

Quoting the author

"I found the following information in the folders:

# Database stuff
DBDriver = org.gjt.mm.mysql.Driver
DBUrl = jdbc:mysql://localhost/dbRemoveUrl
DBLogin = root
# put password in before the push
DBPassword = k00k00 "

If this is true today is going to suck for someone...


Feed You can follow this conversation by subscribing to the comment feed for this post.

All Comments are Moderated and will be delayed!