Yang pakai MySQL bisa terancam nih ya ?
MySQL password handling problem
----------------------------------------------------------------------------
----
SUMMARY
Anyone with access to a MySQL database connection and GRANT privilege for
any database or table in it, can change any MySQL password they wish,
including the superuser's.
DETAILS
Vulnerable systems:
MySQL 3.22.27
MySQL 3.22.29
MySQL 3.23.8
(And probably all MySQL versions since 3.22.11)
If the malicious user has access to run processes on the machine where
MySQL is running, that user can hijack the entire database. If the
attacker does not have such access, it is still possible to perform a DoS
attack on the server by setting the MySQL superuser's password to a random
string.
The 'test' users installed by MySQL's install scripts have GRANT
privileges for any database whose name begins with 'test', and can
therefore be used to exploit this bug. The 'test' accounts have no
passwords set by default, and no restrictions on where connects can come
from.
This makes all default-configured MySQL very vulnerable (anyone on the net
can change the MySQL superuser password!). Be aware, however, that any
user with a GRANT privilege (no matter on which database) in your MySQL
installation can exploit this bug. You may be vulnerable even if you've
removed the 'test' users.
Temporary workaround:
1) Revoke all GRANT privileges from all users in your MySQL system except
root@localhost. This includes GRANTs in the mysql.db table.
2) Confirm that your root@localhost password has not been altered.
Details:
The bug is that the GRANT statement does not properly check privileges
when you give it an IDENTIFIED BY-clause. You can therefore GRANT someone
(including the MySQL superuser) a privilege you yourself possess, and set
her/his password at the same time using IDENTIFIED BY.
Which privilege you pass on does not matter. It is the side effect of the
IDENTIFIED BY that does the magic. This can be exploited regardless of
your other permissions. You only need the GRANT privilege for any table or
database to exploit this bug.
For someone having login access to the machine running MySQL, hijacking
the database is trivial once the MySQL superuser password has been changed
using the above method. For someone without login access, changing the
superuser password can be a simple way of performing a DoS attack against
the server (not to mention the possibility of extortion).
In the default setup, MySQL prohibits access to the superuser account from
any other hosts than localhost. Sites that allow superusers to connect
from the net may be vulnerable to hijacking from malicious users without
local access.
Since the password-less 'test'-accounts created by MySQL installation
scripts have GRANT privileges for any database whose name begins with
'test', they can be used to exploit this bug.
Source patch:
*** /my/monty/master/mysql-3.23.8-alpha/sql/sql_parse.cc Fri Dec 31
13:53:03 1999
--- ./sql_parse.cc Mon Jan 10 21:53:59 2000
***************
*** 1222,1227 ****
--- 1222,1246 ----
tables ? &tables->grant.privilege : 0,
tables ? 0 : 1))
goto error;
+
+ /* Check that the user isn't trying to change a password for
another
+ user if he doesn't have UPDATE privilege to the MySQL database
*/
+
+ List_iterator <LEX_USER> user_list(lex->users_list);
+ LEX_USER *user;
+ while ((user=user_list++))
+ {
+ if (user->password.str &&
+ (strcmp(thd->user,user->user.str) ||
+ user->host.str && my_strcasecmp(user->host.str,
+ thd->host ? thd->host :
thd->ip)))
+ {
+ if (check_access(thd, UPDATE_ACL, "mysql",0,1))
+ goto error;
+ break; // We are allowed to
do changes
+ }
+ }
+
if (tables)
{
if (grant_option && check_grant(thd,
ADDITIONAL INFORMATION
The information was provided by: <mailto:[EMAIL PROTECTED]> Viktor
Fougstedt.
-------
AFLHI 058009990407128029/089802---(102598//991024)
http://www.indolinux.com - Nikmati Layanan Personal INDOLINUX ::
http://techscape.net/ - Webhosting: Dual T3 on Dual Pentium III 450Mhz
Only US$1.95/month -> CGI SSL 5MB Unlimited Traffic & Mail FP2000
-------------------------------------------------------------------
untuk berhenti kirim email ke [EMAIL PROTECTED]
untuk melihat peraturan kirim email ke [EMAIL PROTECTED]
arsip berada di http://www.mail-archive.com/[email protected]
