On Tuesday 18 May 2004 18:24, Esler, Joel - Contractor wrote: > I did not have the grant priv, I had select, insert on mysql db. (I did > log in as a different user --i.e. not root) Using MysqlCC I changed the > Grant field from N to Y, and then could grand myself all privs to every > database. > > Of course, I did have select, insert on mysql.. probably why huh?
I'm not a mysql guru but... yes. That would be akin to disallowing the use of 'chsh' and 'chfn' but in the meantime having /etc/passwd world-writeable... Maarten > -----Original Message----- > From: Ben Nelson [mailto:[EMAIL PROTECTED] > Sent: Tuesday, May 18, 2004 11:48 AM > To: Esler, Joel - Contractor > Cc: [EMAIL PROTECTED] > Subject: Re: [Full-Disclosure] User bypass privs for Mysql?? > > What permissions DID you have prior to editing your grants. How did you > edit the grant (i.e. update user set Grant_priv = 'Y' where user = > 'floobie' ). What version of mysql? Did you log in as yourself to edit > the grants, or as another user? Also, you say you edited your 'Grant' > from N to Y and then you instantly had all privs? Or did you edit you > Grant from N to Y and then go grant yourself all privs? > > More information please. > > --Ben > > Esler, Joel - Contractor wrote: > | Not having any grant permissions. I went into the mysql/user table > > and > > | edited the Grant from N to Y. Logged out and logged back in, and I > > had > > | full privs including Grant. I shouldn't be able to do this... > | > | Joel > | > | _______________________________________________ > | Full-Disclosure - We believe in it. > | Charter: http://lists.netsys.com/full-disclosure-charter.html > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
