Sometimes when installing a new product on our web server, I noticed that the install managers (usually a simple HTML / PHP interface) automatically fill in our MySQL details in the form for setting up the database. The user and password are correct, but I never entered them myself.
If the software can do it, couldn’t a hacker possibly do the same? Do I need to take any additional preventive measures?
I have set the permissions so that no one except the designated users can execute those scripts, but it still left me wondering if it could be exploited somehow.
Your environment is possibly setting the
mysql.default_userandmysql.default_password, which those install scripts may be looking at. Try runningphpinfo()to determine the runtime configuration and see if these configuration options are set.Look at the PHP MySql Configuration Manual
Whether you think any script having access to the MySql credentials is a risk depends on your environment. I’d probably err on the side of not having these options set, and not only because of the possible security implications.