Penetration Testing mailing list archives
RE: Rooting out false positives
From: "Scott Fuhriman" <fuhrimans () llix net>
Date: Mon, 18 Jul 2005 16:50:58 -0700
This particular vulnerability in regards to not setting the password for mySQL is related to local user accounts on the machine, but also to remote users indirectly. Depending on the security of the box and the configuration, it may actually be accessible from a remote connection attempt. Without a password any local user could easily access the database with admin privileges. Although this is a vulnerability to the accounts on the local machine it also means that if an account was compromised on the machine through some other system vulnerability, then the remote user would also in effect have local user access. This would provide the malicious user with the ability to also gain "easy" access to the database. Rather than rooting out false positives, it is a question of understanding the vulnerability and how it can be exploited through other means than an obvious direct approach. Scott Fuhriman -----Original Message----- From: Erin Carroll [mailto:amoeba () amoebazone com] Sent: Monday, July 18, 2005 4:20 PM To: pen-test () securityfocus com Subject: Rooting out false positives I recently rejected the below submission to the list as it was more appropriate for Tenable's nessus list rather than pen-test but I wanted to submit it with an addendum to bring up a topic which I would love to see discussed: How do list members deal with rooting out false positives? When do you have "enough" feedback in pen-testing a possible vunerability before putting something in the false positive column? 5 years ago certain vulnerabilities would have been beyond my skill level at the time to assess and verify correctly. I'm sure there are things now that fall into that area as well. What methods do you guys use to minimize that situation from occuring?
-----Original Message----- From: darkslaker [mailto:darkslaker.secure () gmail com] Sent: Monday, July 18, 2005 2:48 PM To: pen-test () securityfocus com Subject: Help with MYSQL In my last PT , nessus detect Your MySQL database is not password protected. Anyone can connect to it and do whatever he wants to your data (deleting a database, adding bogus entries, ...) We could collect the list of databases installed on the remote host : i couldnĀ“t connect with the Server. I think is a False Positive. But i not sure in this case. I tray to connect with perl , php , mysql and mysqldump. Anyone have information about this. DarkSlaker
Current thread:
- Rooting out false positives Erin Carroll (Jul 18)
- RE: Rooting out false positives Scott Fuhriman (Jul 18)
- Re: Rooting out false positives Renaud Deraison (Jul 19)
- Re: Rooting out false positives Michel Arboi (Jul 20)
- Re: Rooting out false positives Renaud Deraison (Jul 19)
- RE: Rooting out false positives Omar Herrera (Jul 18)
- Re: Rooting out false positives Javier Fernandez-Sanguino (Jul 19)
- <Possible follow-ups>
- Re: Rooting out false positives Omar Herrera (Jul 19)
- RE: Rooting out false positives Scott Fuhriman (Jul 18)