Re: MySQL vunarability?

Wed, 14 Aug 2002 14:25:57 -0700 

Tha preferred command sequence for the scenario that you stated 
previously is as follows:

shell> mysql -u root mysql
mysql> SET PASSWORD FOR root@localhost=PASSWORD('new_password');

There are a few procedures that can be followed. Check out the commands 
at this URL:

http://www.mysql.com/doc/en/Default_privileges.html

--
Thomas Jones
i-Null.com Network Administrator



David Lambert wrote:

> I am getting the report quoted at the bottom of this message from 
> nessus 1.2.3 when scanning my target system and would like to clarify 
> a couple of points.
>
> 1) If I telnet the same host I get the response:
>
>  telnet ns1 3306
> Trying 207.70.162.2...
> Connected to ns1.
> Escape character is '^]'.
> GHost '207.70.162.210' is not allowed to connect to this MySQL 
> serverConnection closed by foreign host.
>
> This seems to indicate to me that the server is not allowing remote 
> connections, so why thge vunarability?
>
> 2) The part of the message that reads:
>
> 'mysql -u root password <newpassword>'
>
> I think should read:
>
> 'mysqladmin -u root password <newpassword>'
>
> as there does not appear to be a 'password' command for 'mysql'
>
>
> . Vulnerability found on port mysql (3306/tcp) :
>
>
>    Your MySQL database is not password protected.
>
>    Anyone can connect to it and do whatever he wants to your data
>    (deleting a database, adding bogus entries, ...)
>    We could collect the list of databases installed on the remote host :
>
>    . 0
>
>    Solution : Log into this host, and set a password for the root user
>    through the command 'mysql -u root password <newpassword>'
>    Read the MySQL manual (available on www.mysql.com) for details.
>    In addition to this, it is not recommanded that you let your MySQL
>    daemon listen to request from anywhere in the world. You should filter
>    incoming connections to this port.
>
>
> -
> [EMAIL PROTECTED]: general discussions about Nessus.
> * To unsubscribe, send a mail to [EMAIL PROTECTED] with
> "unsubscribe nessus" in the body.
>
>


-
[EMAIL PROTECTED]: general discussions about Nessus.
* To unsubscribe, send a mail to [EMAIL PROTECTED] with
"unsubscribe nessus" in the body.

Reply via email to