Bugtraq mailing list archives
Re: Some more MySql security issues
From: "Carsten H. Pedersen" <carsten.pedersen () BITBYBIT DK>
Date: Mon, 12 Feb 2001 22:34:45 +0100
I am a little bit confused about this mail. Maybe the author can explain some issues to me... On Sat, Feb 10, 2001 at 12:54:33AM -0000, Joao Gouveia wrote:roberto@spike:~ > mysql -ublaah (Note: 'blaah' obviously isn't a valid username)You seem to have a strange configuration of mysql. By default only valid users are allowed to connect to the database.
Depends what you mean by "valid users" - mysql users or users with shell accounts on the system running MySQL? By default, MySQL installs with the database 'test', and any user logged onto localhost (i.e. users having a shell account on the system) may connect to MySQL and start manipulating this and any other database having a name starting with 'test_'. These users are considered "anonymous" users in MySQL. They do *not* have to be defined as MySQL users in order to do this.
So the overflow in "drop database" can only be used by users of mysql.
<cut> which is anyone with a shell account on the system running MySQL, unless the administrator has done the only wise thing, namely dropped the test database and deleted the anonymous user from the MySQL user definition. / Carsten -- Carsten H. Pedersen keeper and maintainer of the bitbybit.dk MySQL FAQ http://www.bitbybit.dk/mysqlfaq
Current thread:
- Some more MySql security issues Joao Gouveia (Feb 10)
- Re: Some more MySql security issues Konrad Rieck (Feb 12)
- Re: Some more MySql security issues Tim Yardley (Feb 12)
- Re: Some more MySql security issues Konrad Rieck (Feb 12)
- Re: Some more MySql security issues Joao Gouveia (Feb 13)
- Re: Some more MySql security issues Tim Yardley (Feb 13)
- Re: Some more MySql security issues Tim Yardley (Feb 12)
- Re: Some more MySql security issues Peter van Dijk (Feb 12)
- Re: Some more MySql security issues Carsten H. Pedersen (Feb 12)
- Re: Some more MySql security issues Konrad Rieck (Feb 12)
- Re: Some more MySql security issues Theodor Milkov (Feb 12)
- <Possible follow-ups>
- Re: Some more MySql security issues Hector A.Paterno (Feb 13)