I'm amused... apparently their MySQL connection failed :)
UPDATE: So, as @mubix so aptly pointed out, this really isn't a FOX problem, but it looks like a Twitter "oops"... after doing a quick search I found hundreds of these mysql_connect and other assorted MySQL errors all over the place. Sounds like there's some issues over at Twitter... or maybe something else?
~~ Z O M G ~~ --> 3/18/09 @ 2:41pm CDT
In case you're curious... this has absolutely devolved into a very serious configuration/flaw issue - tinyurl's site has a very serious problem. As you can see, going to http://tinyurl.com/php.php (the PHP configuration display page) shows you way, way, waaaaay too much information.
Can someone please tell me WHY this exists?
Thanks to Steve Ragan from The Tech Herald for this link... more data-mining type information, all publicly available, about TinyURL.com: http://www.robtex.com/dns/tinyurl.com.html
Woohoo! We got written up in The Register! Thanks Dan!
FINALLY - 3/18/09 @ 10:12pm CDT
... TinyURL finally got the sense to turn OFF the tinyurl.com/php.php page... FINALLY. I guess better late than never.
UPDATE - 3/19/09 @ 7:00am CDT
I received this email overnight from Kevin "Gilby" Gilbertson...
While our backup server was misconfigured to show the php errors, you
incorrectly concluded that we are running the webserver under a root
or administrator user.
Kevin "Gilby" Gilbertson
UPDATE - 3/19/09 @12:10pm CDT
Well... I can see some of you have gotten quite worked up about this issue... so let me address it as such.
- First, thank you to Kevin Gilbertson (founder, TinyURL.com) for the constructive email exchange and removal of some of the dangerous content on the root site; and in addition to that Kevin has promised a full security review of his infrastructure which makes me (and should make you) feel better about the service. Progress is everything here; in the security profession we all understand that vulnerabilities are a fact of life - it's how you deal with them and how quickly you close them that separates the wheat from the chaff. Again, thanks to Kevin for being constructive - great job.
- Next, regarding the "root" user question -
Web Server: Lighttpd/1.4.21... so from there we can discover that Lighttpd does *not* automatically jump to a non-privileged account when it's done starting up, in stead it's fully configurable, as so:
Sample Config page: http://redmine.lighttpd.net/repositories/entry/lighttpd/branche/lighttpd-1.4.x/doc/lighttpd.conf
So while this in no way conclusively proves that this server is running as root:wheel, it also does not tell us that it is not... therefore the only thing that could prove this would be a "ps" from the CLI on the box itself...188 # chroot() to directory (default: no chroot() )
189 #server.chroot = "/"
191 ## change uid to
(default: don't care)
192 #server.username = "wwwrun"
194 ## change uid to
(default: don't care)
195 #server.groupname = "wwwrun"
- Finally... Those lobbing nasty comments are missing the point. The TinyURL site/server had serious security issues, which I have since sent along to Kevin and also removed from the post above for the sake of being responsible... Kevin's has done a good job closing this issues up and will be following up on what is left on his own. Disclosing the full PHP information is a serious security risk and if you don't feel so... I feel bad for your customers/employer. I will certainly welcome any healthy debate about the topic.
Thanks for reading, I appreciate the debate and welcome continued discourse!