Reply to post: Re: Had it coming...

MongoDB ransom attacks soar, body count hits 27,000 in hours


Re: Had it coming...

So what you are basically saying is that noone should be using, say, SQLite for storage?

Just like this setup, it has no authentication whatsoever and can very well be used in a way that's vulnerable to SQL injection.

This is mostly an issue when the DB server allows multiple commands in a single query(; EXEC xp_cmdshell , anyone?), which MySQL doesn't (technically maybe you can go out of your way to enable it though).

Apart from that, the difference between using the root user vs. using a user with full access to all databases (I'll even hazard a guess that it's actually database, singular, in this case) isn't huge.

I'm not saying this is good practice or anything, just that it falls into the "general sanity, should fix" bucket and not the "gaping security hole, fix yesterday" bucket.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021