So... i was logging in somewhere today when i some how accidentally ended up typing one of my passwords in to the firefox 3 smart url search box. well, to my surprise, this password retrieved 1 result from google. and it was from one of my sites - that happened to use the same password for the database as the other place i was trying to login.

i have tried this url format on another installation and it renders a not found note, probably like it should. so naturally im crappin my pants a lil right now, contemplating what ill need to change to try and re-protect myself. but i thought i would just share this info just in case it occurs to someone else. this may be occurring because of some combination of modules maybe?

$matches = FALSE; if (preg_match("|website.com|",$_SERVER["HTTP_HOST"]) && preg_match("|^/site/(\w+)|",request_uri(), $matches) && $matches) { $my_site_base = $matches[1]; $db_prefix = "". $my_site_base ."_"; $base_url = "http://website.com/site/". $my_site_base .""; // NO trailing slash! $db_url = "mysql://thedb_user:MYPASSWORDHERE@localhost/thedb_db"; $db_prefix = ''; ///This assumes you have a ./files directory in your base drupal directory $conf = array( "file_directory_path" => "files/".$my_site_base, ); }
Warning: Cannot modify header information - headers already sent by (output started at /home/username/public_html/website.com/sites/website.com.site/settings.php:11) in /home/username/public_html/website.com/includes/common.inc on line 141
Unsupported database type

The database type is unsupported. Please use either mysql for MySQL 3.x & 4.0.x databases, mysqli for MySQL 4.1.x+ databases, or pgsql for PostgreSQL databases. The database information is in your settings.php file.

For more help, see the Installation and upgrading handbook. If you are unsure what these terms mean you should probably contact your hosting provider.

Comments

agentrickard’s picture

Status: Active » Postponed (maintainer needs more info)

And you fingered MySite why?

This should be sent to the security team and not the issue queue.

agentrickard’s picture

Status: Postponed (maintainer needs more info) » Closed (won't fix)

This is very likely operator error and has no direct connection to the module.

--
http://ken.therickards.com

vishun’s picture

ah ok..

the reason why i thought it was related to this module was the URL that caused this info to be output, being a mysite formatted url/path replacing a clean-url for a username with a user id.. and then this specific excerpt from what i pasted in the earlier post:

$my_site_base = $matches[1]; $db_prefix = "". $my_site_base ."_"; $base_url = "http://website.com/site/". $my_site_base .""; // NO trailing slash! $db_url = "mysql://thedb_user:MYPASSWORDHERE@localhost/thedb_db"; 

^ where thedb_user was my database username for drupal, mypasswordhere was the database password, and then to what database name... i tried the same url on another site using mysite and it rendered the not found page which is what led me to suspect its some combination of modules.