AI PRP: Mindsdb weak credential #486
Labels
Contributor queue
When a contributor has already one issue/PR in review, we put the following ones on hold with this.
Comments
tooryx
added
the
Contributor queue
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Mindsdb has a default configuration file when we spin up an instance with the docker:
{ "config_version":"1.4", "storage_dir": "/root/mdb_storage", "debug": false, "integrations": {}, "api": { "http": { "host": "0.0.0.0", "port": "47334" }, "mysql": { "host": "0.0.0.0", "password": "", "port": "47335", "user": "mindsdb", "database": "mindsdb", "ssl": true }, "mongodb": { "host": "0.0.0.0", "port": "47336", "database": "mindsdb" } } }You can see there is no authentication option enabled by default for the HTTP(GUI) endpoint ( we can confirm this by simply setting up a docker instance of mindsdb). Also, we should add a
mindsdb:username and an empty password for the MySQL weak credential tester too.There is no authentication enabled by default but we can find configuration files in the documentation that are using basic authentication too with usernames and passwords like
mindsdb:123, the authentication is a basic authentication header so we can easily test weak credentials.for post-login validation, we can send an HTTP GET request to our tsunami callback server easily by trying to add a file as Datasource with an arbitrary URL:
The text was updated successfully, but these errors were encountered: