[Wine] Re: WineHQ database compromise

[GlennLChugg]

tijnema wrote:
> On Tue, Oct 11, 2011 at 9:13 PM, Jeremy White <jwhite at codeweavers.com> wrote:
> 
> > Hi,
> > 
> > I am sad to say that there was a compromise of the WineHQ database system.
> > 
> > What we know at this point that someone was able to obtain unauthorized
> > access to the phpmyadmin utility. Â We do not exactly how they obtained
> > access; it was either by compromising an admins credentials, or by
> > exploiting an unpatched vulnerability in phpmyadmin.
> > 
> > 
> 
> Jeremy,
> 
> Almost 2 years ago I have sent you an email privately about a security
> hole with the database. To be exactly, the date of the email is Wed,
> Jul 29, 2009, 12:00 AM (GMT +02:00). I guess that's probably the same
> trick the bad guys have used...
> 
> Kind regards,
> 
> Matijn Woudt


Hindsight, this would have been worth re-mentioning (at least once every few months), or IT WAS YOU :P, you knew a way to access the data and decided that if they weren't gonna patch the hole that you could grab the data and show them how wrong it was to ignore you :D (Joking... or am I).

Seriously, security is mostly a joke, if someone wants to get access they can/will, but that is not to say you make it easier for them by leaving holes in your security. I hope in the future reports are treated very serious. PHP is one of the most hackable web services, I am surprised WineHQ has been left alone this long, all my forums have been targeted at one stage of their life cycle. But I now know a way around the security issues (no I wont share or it'll be targeted too).