So... i was logging in somewhere today when i some how accidentally ended up typing one of my passwords in to the firefox 3 smart url search box. well, to my surprise, this password retrieved 1 result from google. and it was from one of my sites - that happened to use the same password for the database as the other place i was trying to login.
i have tried this url format on another installation and it renders a not found note, probably like it should. so naturally im crappin my pants a lil right now, contemplating what ill need to change to try and re-protect myself. but i thought i would just share this info just in case it occurs to someone else. this may be occurring because of some combination of modules maybe?
$matches = FALSE; if (preg_match("|website.com|",$_SERVER["HTTP_HOST"]) && preg_match("|^/site/(\w+)|",request_uri(), $matches) && $matches) { $my_site_base = $matches[1]; $db_prefix = "". $my_site_base ."_"; $base_url = "http://website.com/site/". $my_site_base .""; // NO trailing slash! $db_url = "mysql://thedb_user:MYPASSWORDHERE@localhost/thedb_db"; $db_prefix = ''; ///This assumes you have a ./files directory in your base drupal directory $conf = array( "file_directory_path" => "files/".$my_site_base, ); }
Warning: Cannot modify header information - headers already sent by (output started at /home/username/public_html/website.com/sites/website.com.site/settings.php:11) in /home/username/public_html/website.com/includes/common.inc on line 141
Unsupported database type
The database type is unsupported. Please use either mysql for MySQL 3.x & 4.0.x databases, mysqli for MySQL 4.1.x+ databases, or pgsql for PostgreSQL databases. The database information is in your settings.php file.
For more help, see the Installation and upgrading handbook. If you are unsure what these terms mean you should probably contact your hosting provider.
Comments
Comment #1
agentrickardAnd you fingered MySite why?
This should be sent to the security team and not the issue queue.
Comment #2
agentrickardThis is very likely operator error and has no direct connection to the module.
--
http://ken.therickards.com
Comment #3
vishun CreditAttribution: vishun commentedah ok..
the reason why i thought it was related to this module was the URL that caused this info to be output, being a mysite formatted url/path replacing a clean-url for a username with a user id.. and then this specific excerpt from what i pasted in the earlier post:
^ where thedb_user was my database username for drupal, mypasswordhere was the database password, and then to what database name... i tried the same url on another site using mysite and it rendered the not found page which is what led me to suspect its some combination of modules.