Hi!
Mark> Hi, Gary> I'd like to add to the "security flaw" thread with my own experience. Gary> I have been hosting MySQL databases for over 2 years and on a few occasions Gary> have had user databases disappear. Gary> Last month one of my admin databases was dropped. The only user Gary> who has Gary> access to that database is root (me) and even after double checking all my Gary> scripts/code and database/table permissions I was unable to determine how it Gary> was done. I was able to track down the culprit and asked him how he did it. Gary> He replied: Gary> "When use MySQL-Front(version 2.5) as client to connect to 4.x version Gary> MySQL server,any users(even without any granted rights) can drop any Gary> databases. I guess there is a horrible security hole exist in MySQL 4.x Gary> version." Gary> I don't really understand this client side exploit, nevertheless, the Gary> database WAS dropped and that is how he told me he did it. Is this a red Gary> herring (false lead)? If it is true, is this exploit being addressed? I checked this up and notice that your user is right. In MySQL we have two different ways to drop a database: With 'DROP DATABASE database_name'. Through the depricated client function 'mysql_drop_db()'. The first case works correct but in the second case the grant check is not done. I tracked this down to a merge I did between the 4.0 and 4.1 code in September last year :( The reson you could not repeat this is that MySQLFront() uses the old mysql_drop_db() call while you probably tested this with some client which uses the new way to drop a database. I will fix this at once for next 4.0 release. Thanks for reporting this! Regards, Monty -- MySQL 2003 Users Conference -> http://www.mysql.com/events/uc2003/ __ ___ ___ ____ __ / |/ /_ __/ __/ __ \/ / Mr. Michael Widenius <[EMAIL PROTECTED]> / /|_/ / // /\ \/ /_/ / /__ MySQL AB, CTO /_/ /_/\_, /___/\___\_\___/ Helsinki, Finland <___/ www.mysql.com --------------------------------------------------------------------- Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail <[EMAIL PROTECTED]> To unsubscribe, e-mail <[EMAIL PROTECTED]> Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
