On Sun, Sep 14, 2003 at 05:59:59AM -0700, Elv1S wrote: > http://www.k-otik.com/exploits/09.14.mysql.c.php > don't know if this vuln is patched ?
Yes, just upgrade MySQL to 4.0.15 or apply the small patch posted in the advisory.
Actually - there's a very simple work-around, based upon the age old "chicken and egg principle": In order to exploit this bug, you need to have ALTER privileges on the mysql.user table. Just grant that privilege only to a trusted *local* account (say 'root') and you're home free. Make sure only trusted persons know that password and don't store it anywhere digitally (remember to remove ~/.mysql_history after changing the password).
Met vriendelijke groeten / With kind regards,
Webmaster IDG.nl Melvyn Sopacua
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
