Re: MySQL Security Flaw - Dropped Databases

Wed, 18 Dec 2002 06:29:46 -0800 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

thanks for your message.

On Wed, 18 Dec 2002, Gary Huntress wrote:

> I'd like to add to the "security flaw" thread with my own experience. I
> have been hosting MySQL databases for over 2 years and on a few
> occasions have had user databases disappear.
>
> Last month one of my admin databases was dropped.  The only user who has
> access to that database is root (me) and even after double checking all
> my scripts/code and database/table permissions I was unable to determine
> how it was done.  I was able to track down the culprit and asked him how
> he did it. He replied:
>
> "When use MySQL-Front(version 2.5) as client to connect to 4.x version
> MySQL server,any users(even without any granted rights) can drop any
> databases. I guess there is a horrible security hole exist in MySQL 4.x
> version."
>
> I don't really understand this client side exploit, nevertheless, the
> database WAS dropped and that is how he told me he did it.  Is this a
> red herring (false lead)?  If it is true, is this exploit being
> addressed?

Well, we can only address what we get informed about! In the future, it
would be good if you could inform us about such potential security
problems by sending your message to our mail address [EMAIL PROTECTED]

I've not heard about this specific issue before, but will forward it to
our developers for further analysis.

Thanks,

        LenZ
- -- 
For technical support contracts, visit https://order.mysql.com/?ref=mlgr
   __  ___     ___ ____  __
  /  |/  /_ __/ __/ __ \/ /      Mr. Lenz Grimmer <[EMAIL PROTECTED]>
 / /|_/ / // /\ \/ /_/ / /__     MySQL AB, Production Engineer
/_/  /_/\_, /___/\___\_\___/     Hamburg, Germany
       <___/   www.mysql.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.0 (GNU/Linux)
Comment: For info see http://quantumlab.net/pine_privacy_guard/

iD8DBQE+AILsSVDhKrJykfIRAlXdAJ49jfET5L9cYUqmw4eTFzTM9/rGFwCeNS3S
Dm8IF2byWxNbdgzvrBNWG+s=
=jKLg
-----END PGP SIGNATURE-----


---------------------------------------------------------------------
Before posting, please check:
   http://www.mysql.com/manual.php   (the manual)
   http://lists.mysql.com/           (the list archive)

To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php

Reply via email to