Full Disclosure mailing list archives
Re: Mysql 3.23.x/4.0.x Remote Root Exploit
From: Melvyn Sopacua <msopacua () idg nl>
Date: Mon, 15 Sep 2003 16:29:06 +0200
At 15:16 14-9-2003, Jedi/Sector One wrote:
On Sun, Sep 14, 2003 at 05:59:59AM -0700, Elv1S wrote: > http://www.k-otik.com/exploits/09.14.mysql.c.php > don't know if this vuln is patched ? Yes, just upgrade MySQL to 4.0.15 or apply the small patch posted in the advisory.
Actually - there's a very simple work-around, based upon the age old "chicken and egg principle": In order to exploit this bug, you need to have ALTER privileges on the mysql.user table. Just grant that privilege only to a trusted *local* account (say 'root') and you're home free. Make sure only trusted persons know that password and don't store it anywhere digitally (remember to remove ~/.mysql_history after changing the password). Met vriendelijke groeten / With kind regards, Webmaster IDG.nl Melvyn Sopacua _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Mysql 3.23.x/4.0.x Remote Root Exploit Elv1S (Sep 14)
- Re: Mysql 3.23.x/4.0.x Remote Root Exploit Andreas Gietl (Sep 14)
- Re: Mysql 3.23.x/4.0.x Remote Root Exploit Jedi/Sector One (Sep 14)
- Re: Mysql 3.23.x/4.0.x Remote Root Exploit Melvyn Sopacua (Sep 15)
- Re: Mysql 3.23.x/4.0.x Remote Root Exploit Kilian CAVALOTTI (Sep 14)