Full Disclosure mailing list archives
Re: User bypass privs for Mysql??
From: Maarten <fulldisc () ultratux org>
Date: Tue, 18 May 2004 19:46:24 +0200
On Tuesday 18 May 2004 18:24, Esler, Joel - Contractor wrote:
I did not have the grant priv, I had select, insert on mysql db. (I did log in as a different user --i.e. not root) Using MysqlCC I changed the Grant field from N to Y, and then could grand myself all privs to every database. Of course, I did have select, insert on mysql.. probably why huh?
I'm not a mysql guru but... yes. That would be akin to disallowing the use of 'chsh' and 'chfn' but in the meantime having /etc/passwd world-writeable... Maarten
-----Original Message----- From: Ben Nelson [mailto:lists () venom600 org] Sent: Tuesday, May 18, 2004 11:48 AM To: Esler, Joel - Contractor Cc: full-disclosure () lists netsys com Subject: Re: [Full-disclosure] User bypass privs for Mysql?? What permissions DID you have prior to editing your grants. How did you edit the grant (i.e. update user set Grant_priv = 'Y' where user = 'floobie' ). What version of mysql? Did you log in as yourself to edit the grants, or as another user? Also, you say you edited your 'Grant' from N to Y and then you instantly had all privs? Or did you edit you Grant from N to Y and then go grant yourself all privs? More information please. --Ben Esler, Joel - Contractor wrote: | Not having any grant permissions. I went into the mysql/user table and | edited the Grant from N to Y. Logged out and logged back in, and I had | full privs including Grant. I shouldn't be able to do this... | | Joel | | _______________________________________________ | Full-Disclosure - We believe in it. | Charter: http://lists.netsys.com/full-disclosure-charter.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- User bypass privs for Mysql?? Esler, Joel - Contractor (May 18)
- Re: User bypass privs for Mysql?? James Bliss (May 18)
- Re: User bypass privs for Mysql?? Ben Nelson (May 18)
- RE: User bypass privs for Mysql?? Remko Lodder (May 18)
- Re: User bypass privs for Mysql?? Michael Gargiullo (May 18)
- <Possible follow-ups>
- RE: User bypass privs for Mysql?? Esler, Joel - Contractor (May 18)
- Re: User bypass privs for Mysql?? Maarten (May 18)
- Re: User bypass privs for Mysql?? Ben Nelson (May 18)
- RE: User bypass privs for Mysql?? Esler, Joel - Contractor (May 18)
- Re[2]: User bypass privs for Mysql?? npguy (May 18)