Re: about mysql security
Hello. Searching in the manual didn't return me any pages which have five-tiered inside. If you're interested in MySQL security read this: http://dev.mysql.com/doc/refman/5.0/en/security.html http://dev.mysql.com/doc/refman/5.0/en/privilege-system.html I get a concept about mysql security. It's named five-tiered access control.Can you tell me the detail of this concept? wangxu wrote: -- For technical support contracts, goto https://order.mysql.com/?ref=ensita This email is sponsored by Ensita.NET http://www.ensita.net/ __ ___ ___ __ / |/ /_ __/ __/ __ \/ /Gleb Paharenko / /|_/ / // /\ \/ /_/ / /__ [EMAIL PROTECTED] /_/ /_/\_, /___/\___\_\___/ MySQL AB / Ensita.NET ___/ www.mysql.com -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
about mysql security
I get a concept about mysql security. It's named five-tiered access control.Can you tell me the detail of this concept?
Checking MySQL security
Hello everyone' I'm interesting and working in IT security and have to do some security test. Sometime there is a oracle DB, sometime, it's about mySQL. I found a lot a free scripts'n' tools to check the oracle security level but i' did not find any for mySQL. I only found a '.c' file which try to crack the account's passwords. That's why i write to this mailing list : I wonder if there exists some tools for mySQL to measure this security .. hope it does ... thanks' -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
MySQL Security Alert 2005-01-27
There is a bot active on the internet that is infecting Windows machines running MySQL Server: http://isc.sans.org/diary.php?isc=a508f4a185755af19ea8bd45444a570b An alert with background information is already available on: http://dev.mysql.com/tech-resources/articles/security_alert.html The following message contains practical information about how to protect your system. 1. What is the UDF Worm? The UDF Worm is self-propagating code that is finding MySQL servers running on Microsoft Windows with poor firewall and password security. This worm does not exploit any bugs in MySQL. It does exploit poor security setups for firewalls and passwords. This worm is Microsoft Windows specific, however firewall and password security is important on any platform. 2. What is a User Defined Function (UDF)? A User Defined Function, often referred to as a UDF, is a part of the ANSI SQL-99 specification. This feature allows developers to create custom functions. It is a common feature among the major database products. 3. What does the UDF Worm do? The UDF Worm looks for MySQL servers running on Microsoft Windows that have been exposed to the internet and have either weak or no passwords installed on the account named root. Once it finds an account it installs a UDF, and then uses that machine to scan for other machines that can possibly be infected. 4. How do I know if my MySQL installation has been infected? Run the following SQL statement: SELECT * FROM mysql.func; If a UDF is found with a name of app_result then you have probably been infected with the worm. You should look at all UDFs and determine whether or not they are legitimate. The worm is likely to mutate over time and will take on different UDF names. You may be able to remove this UDF by running the following SQL statement: DROP FUNCTION app_result; Please note however that this does not not remove the worm itself once your system has been infected. See the next section for further details. 5. How do I disinfect my system? As the worm is of a known family called WootBot or SpyBot, most virus scanners will pick up the executable with their existing signature files and alert you. F-Secure provides additional information on this type of bot as well as tools for removing it: http://www.f-secure.com/v-descs/wootbot.shtml To prevent any unauthorized person or program from connecting to your database you should verify that all of your current accounts have passwords and that they are strong passwords (i.e. not easily guess-able). Remember to always use firewalls and strong passwords to protect your MySQL Servers. Please consult your security advisors for the best way to protect your systems. 6. How do I protect my MySQL Servers on Microsoft Windows? There are 2 basic steps to protect your MySQL Servers: 1. Always use strong passwords on all accounts. 2. Use firewalls to protect your MySQL Servers. The Windows installation procedure in MySQL 4.1 and up takes additional steps to ensure that users create a secure setup. For information about securing your root account on an existing installation, see http://dev.mysql.com/doc/mysql/en/default-privileges.html and http://dev.mysql.com/doc/mysql/en/security-against-attack.html. Specifically, ensure that the root account has a STRONG password that cannot be easily guessed. Also, remove the root@'%' account from the grant tables. Connect to the MySQL server as root, the following example uses the 'mysql' command line client. Search for mysql.exe in on your hard drive, and Run this program with the parameters -u root -p. Enter password: * Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 1 to server version: 4.1.9-nt Type 'help;' or '\h' for help. Type '\c' to clear the buffer. mysql DELETE FROM mysql.user WHERE host = '%' AND user = 'root'; Query OK, 1 row affected (0.03 sec) mysql FLUSH PRIVILEGES; Query OK, 0 rows affected (0.05 sec) mysql quit This will prevent root logins from other machines. If you don't require any access to the database server from other machines, you can even disable networking completely by using the skip-networking option in your configuration file and restarting the server. You can also use MySQL Administrator to edit your MySQL configuration. Local connections are handled via named pipes on an NT based system (Windows NT4, 2000, XP, 2003). 7. Is this a vulnerability on Microsoft Windows, Linux, or Unix? This worm is Microsoft Windows specific, however firewall and password security is important on any platform. If your server is behind a firewall, and you have a strong root password you are not vulnerable to this worm. If not, take the necesscary steps now to protect your system. Learn more about strong passwords and firewall setups for Microsoft Windows here: http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/windows_password_tips.mspx
Re: About Mysql Security
Mike Bao [EMAIL PROTECTED] wrote: Last week, the all tables in one database had been deleted, which is second times since I upgrade my operation system from NT 4.0 to Server 2003. Before that, they had been deleted many times. I just copied all table files to one database(one directory). They will work normally. I don't know my operation is correct or not. And I want to get more suggestions about mysql security, more details better. Look forward to hearing from you, thanks lot. To ask a correct question you should know half of the answer. :) For your case, do FLUSH TABLES and LOCK TABLES before taking the files snapshot. Or, even better, use mysqlhotcopy. -- For technical support contracts, goto https://order.mysql.com/?ref=ensita This email is sponsored by Ensita.net http://www.ensita.net/ __ ___ ___ __ / |/ /_ __/ __/ __ \/ /Egor Egorov / /|_/ / // /\ \/ /_/ / /__ [EMAIL PROTECTED] /_/ /_/\_, /___/\___\_\___/ MySQL AB / Ensita.net ___/ www.mysql.com -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
About Mysql Security
Hi, Last week, the all tables in one database had been deleted, which is second times since I upgrade my operation system from NT 4.0 to Server 2003. Before that, they had been deleted many times. I just copied all table files to one database(one directory). They will work normally. I don't know my operation is correct or not. And I want to get more suggestions about mysql security, more details better. Look forward to hearing from you, thanks lot. Michael -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
Re: MySQL Security
Sheraz [EMAIL PROTECTED] wrote: How can i achieve Security acpect in mysql? How secure can we make transactions over internet for 3306 ? Use SSL. -- For technical support contracts, goto https://order.mysql.com/?ref=ensita This email is sponsored by Ensita.net http://www.ensita.net/ __ ___ ___ __ / |/ /_ __/ __/ __ \/ /Egor Egorov / /|_/ / // /\ \/ /_/ / /__ [EMAIL PROTECTED] /_/ /_/\_, /___/\___\_\___/ MySQL AB / Ensita.net ___/ www.mysql.com -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
MySQL Security
How can i achieve Security acpect in mysql? How secure can we make transactions over internet for 3306 ? Thanks Sak __ Do you Yahoo!? Yahoo! Mail - 50x more storage than other providers! http://promotions.yahoo.com/new_mail -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
Re: MYSQL Security
Thank you Victoria and Mikhail. thanks a lot Victoria Reznichenko [EMAIL PROTECTED] wrote: Timotius Alfa wrote: Hi All, I'm newbie in MYSQL. Would please tell me about Mysql Security ? I used Windows2000 for mysql server. Privilege system of MySQL is described in the following section of the manual: http://www.mysql.com/doc/en/Privilege_system.html -- For technical support contracts, goto https://order.mysql.com/?ref=ensita This email is sponsored by Ensita.net http://www.ensita.net/ __ ___ ___ __ / |/ /_ __/ __/ __ \/ / Victoria Reznichenko / /|_/ / // /\ \/ /_/ / /__ [EMAIL PROTECTED] /_/ /_/\_, /___/\___\_\___/ MySQL AB / Ensita.net ___/ www.mysql.com -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe: http://lists.mysql.com/[EMAIL PROTECTED] - Do you Yahoo!? Yahoo! SiteBuilder - Free web site building tool. Try it!
Re: MYSQL Security
Hi, I'm newbie in MYSQL. Would please tell me about Mysql Security ? Generally you can find a lot of information about MySQL on http://www.mysql.com/doc/en/ About your question you can read here: http://www.mysql.com/doc/en/Privilege_system.html Mikhail. - Original Message - From: Timotius Alfa [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, January 28, 2004 5:16 AM Subject: MYSQL Security Hi All, I'm newbie in MYSQL. Would please tell me about Mysql Security ? I used Windows2000 for mysql server. thank you - Do you Yahoo!? Yahoo! SiteBuilder - Free web site building tool. Try it! -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
Re: MYSQL Security
Timotius Alfa [EMAIL PROTECTED] wrote: Hi All, I'm newbie in MYSQL. Would please tell me about Mysql Security ? I used Windows2000 for mysql server. Privilege system of MySQL is described in the following section of the manual: http://www.mysql.com/doc/en/Privilege_system.html -- For technical support contracts, goto https://order.mysql.com/?ref=ensita This email is sponsored by Ensita.net http://www.ensita.net/ __ ___ ___ __ / |/ /_ __/ __/ __ \/ /Victoria Reznichenko / /|_/ / // /\ \/ /_/ / /__ [EMAIL PROTECTED] /_/ /_/\_, /___/\___\_\___/ MySQL AB / Ensita.net ___/ www.mysql.com -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
MYSQL Security
Hi All, I'm newbie in MYSQL. Would please tell me about Mysql Security ? I used Windows2000 for mysql server. thank you - Do you Yahoo!? Yahoo! SiteBuilder - Free web site building tool. Try it!
MySQL security
I'm running MySQL 4.0.12-standard on Mac OS X (10.2.4), for local use only. As no-one else needs access to the database, I'm trying to make it as secure as possible... so far I've added skip-name-resolve, skip-networking and safe-user-create into my.cnf. I've also seen bind-ip=127.0.0.1 mentioned a few times as well, but I'm not sure if this is needed if skip-networking is set, or if one over-rides the other? As you can probably tell, I'm on the new side to this, so any help or advice is appreciated. TIA! Mel -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
RE: MySQL security
In your user table in the mysql database, remove all the lines that allow logins from other hosts. mysql use mysql mysql delete from user where host localhost; mysql flush privileges; -ms -Original Message- From: Mel [mailto:[EMAIL PROTECTED] Sent: Saturday, April 05, 2003 9:38 AM To: [EMAIL PROTECTED] Subject: MySQL security I'm running MySQL 4.0.12-standard on Mac OS X (10.2.4), for local use only. As no-one else needs access to the database, I'm trying to make it as secure as possible... so far I've added skip-name-resolve, skip-networking and safe-user-create into my.cnf. I've also seen bind-ip=127.0.0.1 mentioned a few times as well, but I'm not sure if this is needed if skip-networking is set, or if one over-rides the other? As you can probably tell, I'm on the new side to this, so any help or advice is appreciated. TIA! Mel -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED] -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]
Re: MySQL Security Flaw - Dropped Databases
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, On Thu, 19 Dec 2002, Michael Widenius wrote: With 'DROP DATABASE database_name'. Through the depricated client function 'mysql_drop_db()'. The first case works correct but in the second case the grant check is not done. I tracked this down to a merge I did between the 4.0 and 4.1 code in September last year :( The reson you could not repeat this is that MySQLFront() uses the old mysql_drop_db() call while you probably tested this with some client which uses the new way to drop a database. I will fix this at once for next 4.0 release. Thanks for reporting this! JFYI: this bug was fixed in MySQL 4.0.7, which will be available shortly (just uploading the files to give the mirrors some time to sync). A full announcement will be sent out on Friday. Happy holidays! Bye, LenZ - -- For technical support contracts, visit https://order.mysql.com/?ref=mlgr __ ___ ___ __ / |/ /_ __/ __/ __ \/ / Mr. Lenz Grimmer [EMAIL PROTECTED] / /|_/ / // /\ \/ /_/ / /__ MySQL AB, Production Engineer /_/ /_/\_, /___/\___\_\___/ Hamburg, Germany ___/ www.mysql.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.0 (GNU/Linux) Comment: For info see http://quantumlab.net/pine_privacy_guard/ iD8DBQE+CGmZSVDhKrJykfIRAg0jAJ0VJySvCpAObrAXGTJuuLh1MNsa7wCfYPjm u9zaoIaFnbn/sJrNbyls1Ck= =sV/x -END PGP SIGNATURE- - Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail [EMAIL PROTECTED] To unsubscribe, e-mail [EMAIL PROTECTED] Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
MySQL Security Flaw - Dropped Databases
Hi! Mark Hi, Gary I'd like to add to the security flaw thread with my own experience. Gary I have been hosting MySQL databases for over 2 years and on a few occasions Gary have had user databases disappear. Gary Last month one of my admin databases was dropped. The only user Gary who has Gary access to that database is root (me) and even after double checking all my Gary scripts/code and database/table permissions I was unable to determine how it Gary was done. I was able to track down the culprit and asked him how he did it. Gary He replied: GaryWhen use MySQL-Front(version 2.5) as client to connect to 4.x version Gary MySQL server,any users(even without any granted rights) can drop any Gary databases. I guess there is a horrible security hole exist in MySQL 4.x Gary version. Gary I don't really understand this client side exploit, nevertheless, the Gary database WAS dropped and that is how he told me he did it. Is this a red Gary herring (false lead)? If it is true, is this exploit being addressed? I checked this up and notice that your user is right. In MySQL we have two different ways to drop a database: With 'DROP DATABASE database_name'. Through the depricated client function 'mysql_drop_db()'. The first case works correct but in the second case the grant check is not done. I tracked this down to a merge I did between the 4.0 and 4.1 code in September last year :( The reson you could not repeat this is that MySQLFront() uses the old mysql_drop_db() call while you probably tested this with some client which uses the new way to drop a database. I will fix this at once for next 4.0 release. Thanks for reporting this! Regards, Monty -- MySQL 2003 Users Conference - http://www.mysql.com/events/uc2003/ __ ___ ___ __ / |/ /_ __/ __/ __ \/ /Mr. Michael Widenius [EMAIL PROTECTED] / /|_/ / // /\ \/ /_/ / /__ MySQL AB, CTO /_/ /_/\_, /___/\___\_\___/ Helsinki, Finland ___/ www.mysql.com - Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail [EMAIL PROTECTED] To unsubscribe, e-mail [EMAIL PROTECTED] Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
Re: MySQL security flaws uncovered
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Wed, 18 Dec 2002, Michael Bacarella wrote: A good question posted to another list.. forwarded message follows Several vulnerabilities have been found in the MySQL database system, a light database package commonly used in Linux environments but which runs also on Microsoft platforms, HP-Unix, Mac OS and more. http://zdnet.com.com/2100-1104-977958.html So why no mention on the MySQL.COM site? That rather bugs me. In contrast, sites for products like Apache or Bind are very clear about current/past security issues. Is MySQL.COM the wrong place? No, it was an internal communication problem - this was the first time I had to handle a security problem and I was not aware, that our PR team did not catch my internal message about the security vulnerability. We will send out an announcement today, which will also be put on the web pages. You can find my initial announcement here: http://lists.mysql.com/cgi-ez/ezmlm-cgi?2:mss:144:200212:cedhfgmdkobfodelamkh Sorry for the confusion - next time I hope to get it straight at once. Bye, LenZ - -- For technical support contracts, visit https://order.mysql.com/?ref=mlgr __ ___ ___ __ / |/ /_ __/ __/ __ \/ / Mr. Lenz Grimmer [EMAIL PROTECTED] / /|_/ / // /\ \/ /_/ / /__ MySQL AB, Production Engineer /_/ /_/\_, /___/\___\_\___/ Hamburg, Germany ___/ www.mysql.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.0 (GNU/Linux) Comment: For info see http://quantumlab.net/pine_privacy_guard/ iD8DBQE+ACX8SVDhKrJykfIRAgbBAJ9hI3CXVhnExGKnIR76eA/XqpJyiQCfZhHP iB3kePO5YLRO+6wt5Lv5Qf4= =M4MK -END PGP SIGNATURE- - Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail [EMAIL PROTECTED] To unsubscribe, e-mail [EMAIL PROTECTED] Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
Re: MySQL security flaws uncovered
It's bad for business : ) Maybe they're taking the MS route. At 12:19 AM 12/18/2002 -0500, Michael Bacarella wrote: A good question posted to another list.. forwarded message follows Several vulnerabilities have been found in the MySQL database system, a light database package commonly used in Linux environments but which runs also on Microsoft platforms, HP-Unix, Mac OS and more. http://zdnet.com.com/2100-1104-977958.html So why no mention on the MySQL.COM site? That rather bugs me. In contrast, sites for products like Apache or Bind are very clear about current/past security issues. Is MySQL.COM the wrong place? -- Michael Bacarella | Netgraft Corp | 545 Eighth Ave #401 Systems Analysis | New York, NY 10018 Technical Support | 212 946-1038 | 917 670-6982 Managed Services | http://netgraft.com/ - Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail [EMAIL PROTECTED] To unsubscribe, e-mail [EMAIL PROTECTED] Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php -- Michael She : [EMAIL PROTECTED] Mobile : (519) 589-7309 WWW Homepage : http://www.binaryio.com/ - Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail [EMAIL PROTECTED] To unsubscribe, e-mail [EMAIL PROTECTED] Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
Re: MySQL security flaws uncovered
Michael She wrote: It's bad for business : ) Maybe they're taking the MS route. I second this. These vulnerabilities are serious, they must be given more attention. Apache, PHP, RedHat and so on and so on are very careful with issues like this, all vulnerabilities/exploits are immediately published through all possible channels. Yes, it is always a pain to find out something like this, obviously the MySQL team just would like to forget this once and for all, but doing troublesome reinstalls/upgrades and so on is still better then getting our system hacked. - Cs. At 12:19 AM 12/18/2002 -0500, Michael Bacarella wrote: A good question posted to another list.. forwarded message follows Several vulnerabilities have been found in the MySQL database system, a light database package commonly used in Linux environments but which runs also on Microsoft platforms, HP-Unix, Mac OS and more. http://zdnet.com.com/2100-1104-977958.html So why no mention on the MySQL.COM site? That rather bugs me. In contrast, sites for products like Apache or Bind are very clear about current/past security issues. Is MySQL.COM the wrong place? - Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail [EMAIL PROTECTED] To unsubscribe, e-mail [EMAIL PROTECTED] Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
Re: MySQL security flaws uncovered
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Wed, 18 Dec 2002, Csongor Fagyal wrote: Michael She wrote: It's bad for business : ) Maybe they're taking the MS route. I second this. These vulnerabilities are serious, they must be given more attention. Apache, PHP, RedHat and so on and so on are very careful with issues like this, all vulnerabilities/exploits are immediately published through all possible channels. Yes, it is always a pain to find out something like this, obviously the MySQL team just would like to forget this once and for all, but doing troublesome reinstalls/upgrades and so on is still better then getting our system hacked. No, this is definately not the case. As I've written in a separate message, we immediately reacted and released 3.23.54 to resolve this issue. The security problem was clearly mentioned in the release announcement that was posted to our announce mailing list: http://lists.mysql.com/cgi-ez/ezmlm-cgi?2:mss:144:200212:cedhfgmdkobfodelamkh But I fully agree - in this case the release announcement should have been put up on the web site as well. This was an error on our side and it will not happen again. We will send out another (more public) announcement later today, which will also be put up on the web pages. Bye, LenZ - -- For technical support contracts, visit https://order.mysql.com/?ref=mlgr __ ___ ___ __ / |/ /_ __/ __/ __ \/ / Mr. Lenz Grimmer [EMAIL PROTECTED] / /|_/ / // /\ \/ /_/ / /__ MySQL AB, Production Engineer /_/ /_/\_, /___/\___\_\___/ Hamburg, Germany ___/ www.mysql.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.0 (GNU/Linux) Comment: For info see http://quantumlab.net/pine_privacy_guard/ iD8DBQE+AG9dSVDhKrJykfIRAnvDAJ9gmSFlvz5s5Uj+KJryW/xRjUeOiwCfUXsr SQosoQaAyX/msQye8itk12k= =dPgn -END PGP SIGNATURE- - Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail [EMAIL PROTECTED] To unsubscribe, e-mail [EMAIL PROTECTED] Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
MySQL Security Flaw - Dropped Databases
Hi, I'd like to add to the security flaw thread with my own experience. I have been hosting MySQL databases for over 2 years and on a few occasions have had user databases disappear. Last month one of my admin databases was dropped. The only user who has access to that database is root (me) and even after double checking all my scripts/code and database/table permissions I was unable to determine how it was done. I was able to track down the culprit and asked him how he did it. He replied: When use MySQL-Front(version 2.5) as client to connect to 4.x version MySQL server,any users(even without any granted rights) can drop any databases. I guess there is a horrible security hole exist in MySQL 4.x version. I don't really understand this client side exploit, nevertheless, the database WAS dropped and that is how he told me he did it. Is this a red herring (false lead)? If it is true, is this exploit being addressed? Regards, Gary SuperID Huntress === FreeSQL.org offering free database hosting to developers Visit http://www.freesql.org - Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail [EMAIL PROTECTED] To unsubscribe, e-mail [EMAIL PROTECTED] Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
Re: MySQL Security Flaw - Dropped Databases
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, thanks for your message. On Wed, 18 Dec 2002, Gary Huntress wrote: I'd like to add to the security flaw thread with my own experience. I have been hosting MySQL databases for over 2 years and on a few occasions have had user databases disappear. Last month one of my admin databases was dropped. The only user who has access to that database is root (me) and even after double checking all my scripts/code and database/table permissions I was unable to determine how it was done. I was able to track down the culprit and asked him how he did it. He replied: When use MySQL-Front(version 2.5) as client to connect to 4.x version MySQL server,any users(even without any granted rights) can drop any databases. I guess there is a horrible security hole exist in MySQL 4.x version. I don't really understand this client side exploit, nevertheless, the database WAS dropped and that is how he told me he did it. Is this a red herring (false lead)? If it is true, is this exploit being addressed? Well, we can only address what we get informed about! In the future, it would be good if you could inform us about such potential security problems by sending your message to our mail address [EMAIL PROTECTED] I've not heard about this specific issue before, but will forward it to our developers for further analysis. Thanks, LenZ - -- For technical support contracts, visit https://order.mysql.com/?ref=mlgr __ ___ ___ __ / |/ /_ __/ __/ __ \/ / Mr. Lenz Grimmer [EMAIL PROTECTED] / /|_/ / // /\ \/ /_/ / /__ MySQL AB, Production Engineer /_/ /_/\_, /___/\___\_\___/ Hamburg, Germany ___/ www.mysql.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.0 (GNU/Linux) Comment: For info see http://quantumlab.net/pine_privacy_guard/ iD8DBQE+AILsSVDhKrJykfIRAlXdAJ49jfET5L9cYUqmw4eTFzTM9/rGFwCeNS3S Dm8IF2byWxNbdgzvrBNWG+s= =jKLg -END PGP SIGNATURE- - Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail [EMAIL PROTECTED] To unsubscribe, e-mail [EMAIL PROTECTED] Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
RE: MySQL security flaws uncovered
The real problem is the lack of a central knowledgebase. Is there one that I'm not aware of? Even if there is, it should be very obvious off the front page of the website. -Original Message- From: Csongor Fagyal [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 18, 2002 5:34 AM To: [EMAIL PROTECTED] Subject: Re: MySQL security flaws uncovered Michael She wrote: It's bad for business : ) Maybe they're taking the MS route. I second this. These vulnerabilities are serious, they must be given more attention. Apache, PHP, RedHat and so on and so on are very careful with issues like this, all vulnerabilities/exploits are immediately published through all possible channels. Yes, it is always a pain to find out something like this, obviously the MySQL team just would like to forget this once and for all, but doing troublesome reinstalls/upgrades and so on is still better then getting our system hacked. - Cs. At 12:19 AM 12/18/2002 -0500, Michael Bacarella wrote: A good question posted to another list.. forwarded message follows Several vulnerabilities have been found in the MySQL database system, a light database package commonly used in Linux environments but which runs also on Microsoft platforms, HP-Unix, Mac OS and more. http://zdnet.com.com/2100-1104-977958.html So why no mention on the MySQL.COM site? That rather bugs me. In contrast, sites for products like Apache or Bind are very clear about current/past security issues. Is MySQL.COM the wrong place? - Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail [EMAIL PROTECTED] To unsubscribe, e-mail [EMAIL PROTECTED] Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
Re: MySQL security flaws uncovered
Csongor, Michael: Maybe they're taking the MS route. I second this. These vulnerabilities are serious, they must be given more attention. Apache, PHP, RedHat and so on and so on are very careful with issues like this, all vulnerabilities/exploits are immediately published through all possible channels. Have a look at the website of the person who uncovered the security flaw: cite Vendor Response 03. December 2002 Vendor was contacted by email. 04. December 2002 Vendor informs me that bugs are fixed and that they started building new packages. 12. December 2002 Vendor has released MySQL 3.23.54 which fixes these vulnerabilities. /cite Doesn't look like the MS way to me. See for yourselves: http://security.e-matters.de/advisories/042002.html Regards, -- Stefan Hinz [EMAIL PROTECTED] CEO / Geschäftsleitung iConnect GmbH http://iConnect.de Heesestr. 6, 12169 Berlin (Germany) Telefon: +49 30 7970948-0 Fax: +49 30 7970948-3 - Original Message - From: Csongor Fagyal [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, December 18, 2002 11:33 AM Subject: Re: MySQL security flaws uncovered Michael She wrote: It's bad for business : ) Maybe they're taking the MS route. I second this. These vulnerabilities are serious, they must be given more attention. Apache, PHP, RedHat and so on and so on are very careful with issues like this, all vulnerabilities/exploits are immediately published through all possible channels. Yes, it is always a pain to find out something like this, obviously the MySQL team just would like to forget this once and for all, but doing troublesome reinstalls/upgrades and so on is still better then getting our system hacked. - Cs. At 12:19 AM 12/18/2002 -0500, Michael Bacarella wrote: A good question posted to another list.. forwarded message follows Several vulnerabilities have been found in the MySQL database system, a light database package commonly used in Linux environments but which runs also on Microsoft platforms, HP-Unix, Mac OS and more. http://zdnet.com.com/2100-1104-977958.html So why no mention on the MySQL.COM site? That rather bugs me. In contrast, sites for products like Apache or Bind are very clear about current/past security issues. Is MySQL.COM the wrong place? - Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail [EMAIL PROTECTED] To unsubscribe, e-mail [EMAIL PROTECTED] Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
MySQL security vulnerabilites question
Hi, all, sql, query. Greetings. I got the following information. Does any one of you know whether it will impact my MySQL db server or not: Version 3.23.53 with InnoDB on Mac OS Darwin Kernel Version 6.2. If it does, what's the solution? Thank you, Jannie Qu === -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Tuesday, December 17, 2002 8:57 AM To: [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: [CLA-2002:555] Conectiva Linux Security Announcement - MySQL -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 - -- CONECTIVA LINUX SECURITY ANNOUNCEMENT - -- PACKAGE : MySQL SUMMARY : Several Vulnerabilities DATE : 2002-12-17 11:51:00 ID: CLA-2002:555 RELEVANT RELEASES : 6.0, 7.0, 8 - - DESCRIPTION MySQL is a very popular SQL database, distributed under the GNU-GPL license. Stefan Esser from e-matters[1] discovered several vulnerabilities in the MySQL code that affect both the server and the client library (libmysql) of MySQL. The server vulnerabilities can be exploited to crash the MySQL server, bypass password restrictions or even execute arbitrary code with the privileges of the user running the server process. The library ones consist in an arbitrary size heap overflow and a memory addressing problem that can be both exploited to crash or execute arbitrary code in programs linked against libmysql. More details about each vulnerability can be found in the e-matters security advisory[2]. The Common Vulnerabilities and Exposures project (cve.mitre.org) is tracking these issues with the names CAN-2002-1373, CAN-2002-1374, CAN-2002-1375 and CAN-2002-1376. SOLUTION We recommend that all MySQL users upgrade their packages as soon as possible. IMPORTANT: after the upgrade the mysql service must be restarted manually. In order to do that, run the following command as root: # /sbin/service mysql restart It is also recomended to restart all programs linked against libmysql. A list of such programs in execution can be obtained with the following command: # /usr/sbin/lsof | grep libmysql REFERENCES: 1.http://www.e-matters.de/ 2.http://security.e-matters.de/advisories/042002.html 3.http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1373 4.http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1374 5.http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1375 6.http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1376 UPDATED PACKAGES ftp://atualizacoes.conectiva.com.br/6.0/RPMS/MySQL-3.23.36-14U60_3cl.i386.rpm ftp://atualizacoes.conectiva.com.br/6.0/RPMS/MySQL-bench-3.23.36-14U60_3cl.i386.rpm ftp://atualizacoes.conectiva.com.br/6.0/RPMS/MySQL-client-3.23.36-14U60_3cl.i386.rpm ftp://atualizacoes.conectiva.com.br/6.0/RPMS/MySQL-devel-3.23.36-14U60_3cl.i386.rpm ftp://atualizacoes.conectiva.com.br/6.0/RPMS/MySQL-devel-static-3.23.36-14U60_3cl.i386.rpm ftp://atualizacoes.conectiva.com.br/6.0/RPMS/MySQL-doc-3.23.36-14U60_3cl.i386.rpm ftp://atualizacoes.conectiva.com.br/6.0/SRPMS/MySQL-3.23.36-14U60_3cl.src.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/MySQL-3.23.36-14U70_3cl.i386.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/MySQL-bench-3.23.36-14U70_3cl.i386.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/MySQL-client-3.23.36-14U70_3cl.i386.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/MySQL-devel-3.23.36-14U70_3cl.i386.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/MySQL-devel-static-3.23.36-14U70_3cl.i386.rpm ftp://atualizacoes.conectiva.com.br/7.0/RPMS/MySQL-doc-3.23.36-14U70_3cl.i386.rpm ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/MySQL-3.23.36-14U70_3cl.src.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/MySQL-3.23.46-4U80_2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/MySQL-bench-3.23.46-4U80_2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/MySQL-client-3.23.46-4U80_2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/MySQL-devel-3.23.46-4U80_2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/MySQL-devel-static-3.23.46-4U80_2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/RPMS/MySQL-doc-3.23.46-4U80_2cl.i386.rpm ftp://atualizacoes.conectiva.com.br/8/SRPMS/MySQL-3.23.46-4U80_2cl.src.rpm ADDITIONAL INSTRUCTIONS Users of Conectiva Linux version 6.0 or higher may use apt to perform upgrades of RPM packages: - run: apt-get update - after that, execute: apt-get upgrade Detailed instructions reagarding the use of apt and upgrade examples can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en - - All packages are signed with Conectiva's GPG key. The key and instructions
Re: MySQL security vulnerabilites question
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi, On Tue, 17 Dec 2002, Jannie Qu wrote: I got the following information. Does any one of you know whether it will impact my MySQL db server or not: Version 3.23.53 with InnoDB on Mac OS Darwin Kernel Version 6.2. If it does, what's the solution? Yes, an unpatched MySQL 3.23.53 is vulnerable to the mentioned security problems. We provide updated binaries for Mac OS X 10.2 on our download web pages: http://www.mysql.com/downloads/mysql-3.23.html Bye, LenZ - -- For technical support contracts, visit https://order.mysql.com/?ref=mlgr __ ___ ___ __ / |/ /_ __/ __/ __ \/ / Mr. Lenz Grimmer [EMAIL PROTECTED] / /|_/ / // /\ \/ /_/ / /__ MySQL AB, Production Engineer /_/ /_/\_, /___/\___\_\___/ Hamburg, Germany ___/ www.mysql.com -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.0 (GNU/Linux) Comment: For info see http://quantumlab.net/pine_privacy_guard/ iD8DBQE9/4SISVDhKrJykfIRAhacAJ9F2DS04VyE3Pk4NyaFd03JteZD5QCfd4WU QKts7z3+AZ/TkXK+vaK4VcI= =bQUF -END PGP SIGNATURE- - Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail [EMAIL PROTECTED] To unsubscribe, e-mail [EMAIL PROTECTED] Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
MySQL security flaws uncovered
A good question posted to another list.. forwarded message follows Several vulnerabilities have been found in the MySQL database system, a light database package commonly used in Linux environments but which runs also on Microsoft platforms, HP-Unix, Mac OS and more. http://zdnet.com.com/2100-1104-977958.html So why no mention on the MySQL.COM site? That rather bugs me. In contrast, sites for products like Apache or Bind are very clear about current/past security issues. Is MySQL.COM the wrong place? -- Michael Bacarella | Netgraft Corp | 545 Eighth Ave #401 Systems Analysis | New York, NY 10018 Technical Support | 212 946-1038 | 917 670-6982 Managed Services | http://netgraft.com/ - Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail [EMAIL PROTECTED] To unsubscribe, e-mail [EMAIL PROTECTED] Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
Mysql security and CGI
Hello all! I am working on a site which is using mod_perl and a mysql database on Linux with Apache. I am also putting cookies and user address information into a cookies table to fill up form fields for subsequent visits. Standard enough. Also, the database is on the same server as apache. Now, my problem is that I am paranoid about hackers who are able to break in through apache and assume the user apache. Who can then issue mysql selects and inserts on the cookies table. Does anyone have pointers to mysql security docs and such where I can do what I want without these concerns? Thanks a buncho in advance! --Raj PS: THANK YOU MYSQL DEVELOPERS What a god-send!! * - Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail [EMAIL PROTECTED] To unsubscribe, e-mail [EMAIL PROTECTED] Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
MySQL security
Hello I have a question for all you MySQL people out there We are a group of people planning to make a small open source ERP/accounting/finance program. We have earlier used MySQL to great satisfaction in other areas and would like to use it here. My question is: Do you think MySQL is secure enough to keep peoples bookkeeping in? is it safe enough to use without risk of losing important data? Is it necessary to do anything to make it secure? (eg. use of transactions/backup/power failure security) Any comments are welcome :) /Mathias - Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail [EMAIL PROTECTED] To unsubscribe, e-mail [EMAIL PROTECTED] Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
Re: MySQL security
We use MySQL to store financial data and have never had a problem. The things you mentioned (transactions/backup/power failure security) should be used with ANY database that stores critical information that cannot be lost. No database is completely bullet proof. Regular backups stored at an offsite location, UPS power supply protection, transactions, and LOTS of testing before going live are the best things you can do. Regards, Daniel Lamb - Original Message - From: Mathias Bertelsen [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, July 16, 2002 8:51 AM Subject: MySQL security Hello I have a question for all you MySQL people out there We are a group of people planning to make a small open source ERP/accounting/finance program. We have earlier used MySQL to great satisfaction in other areas and would like to use it here. My question is: Do you think MySQL is secure enough to keep peoples bookkeeping in? is it safe enough to use without risk of losing important data? Is it necessary to do anything to make it secure? (eg. use of transactions/backup/power failure security) Any comments are welcome :) /Mathias - Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail [EMAIL PROTECTED] To unsubscribe, e-mail [EMAIL PROTECTED] Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php - Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail [EMAIL PROTECTED] To unsubscribe, e-mail [EMAIL PROTECTED] Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
Re: MySQL security
On Tue, Jul 16, 2002 at 02:51:59PM +0200, Mathias Bertelsen wrote: Hello Do you think MySQL is secure enough to keep peoples bookkeeping in? is it safe enough to use without risk of losing important data? Is it necessary to do anything to make it secure? (eg. use of transactions/backup/power failure security) It is. -- Jeremy D. Zawodny | Perl, Web, MySQL, Linux Magazine, Yahoo! [EMAIL PROTECTED] | http://jeremy.zawodny.com/ MySQL 3.23.51: up 47 days, processed 1,016,208,690 queries (246/sec. avg) - Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail [EMAIL PROTECTED] To unsubscribe, e-mail [EMAIL PROTECTED] Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
MySQL security
Hi, I'm working on security breaches in MySQL. Can someone guide me in this. To be precise can you tell me about some literature, some book which is easy to understand and also profound ! If anyone is working on that, I'll be more than happy to interact. Thanking you. Paras. For live cricket scores download Yahoo! Score Tracker at: http://in.sports.yahoo.com/cricket/tracker.html - Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail [EMAIL PROTECTED] To unsubscribe, e-mail [EMAIL PROTECTED] Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
RE: MySQL security
Are MySQL really going to give you details of their past security 'issues'? Think about it. Try going underground and looking on some exploit sites. DA Hi, I'm working on security breaches in MySQL. Can someone guide me in this. To be precise can you tell me about some literature, some book which is easy to understand and also profound ! If anyone is working on that, I'll be more than happy to interact. Thanking you. Paras. - Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail [EMAIL PROTECTED] To unsubscribe, e-mail [EMAIL PROTECTED] Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
RE: MySQL security
On Tue, 16 Apr 2002, David Ayliffe wrote: Are MySQL really going to give you details of their past security 'issues'? Think about it. Try going underground and looking on some exploit sites. DA Hi, I'm working on security breaches in MySQL. Can someone guide me in this. To be precise can you tell me about some literature, some book which is easy to understand and also profound ! If anyone is working on that, I'll be more than happy to interact. Thanking you. Why not? If a vunerability is discovered for which no known exploit exists it's reasonable to withold that information (for a limited period) whilst a fix is developed. If the vunerability is showing up on exploit sites I'd expect MySQL AB to be shouting it's existance (if not howto details) from the roof tops so the users can take counter measures whether a fix exists or not. Nigel - Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail [EMAIL PROTECTED] To unsubscribe, e-mail [EMAIL PROTECTED] Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
mySQL security
Hi all, I have set up mySQL database server on my web server running on RH Linux7.2. There are 2 user accounts, root and dummy who can access to databases. I'm wondering how to restrict the accesss to mysql (the db which stores user id, password, etc...). Right now, both users can run select, delete, update... statements on this database. How do I set the permissions so that only root can view, modify, delete tables or data in this database? Thanks in advance, kaz _ Join the worldÂ’s largest e-mail service with MSN Hotmail. http://www.hotmail.com - Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail [EMAIL PROTECTED] To unsubscribe, e-mail [EMAIL PROTECTED] Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
Re: mySQL security
Dear - -: I would revoke all permissions for dummy, then create new permissions for users on a database-by-database basis. If you look at the syntax for GRANT in the manual, you can stipulate which databases a user would have access to. A word of caution: don't use root. Create a user for yourself and give it full permissions, then use it to administer teh database. Gerald Jensen - Original Message - From: - - [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, January 07, 2002 9:13 PM Subject: mySQL security Hi all, I have set up mySQL database server on my web server running on RH Linux7.2. There are 2 user accounts, root and dummy who can access to databases. I'm wondering how to restrict the accesss to mysql (the db which stores user id, password, etc...). Right now, both users can run select, delete, update... statements on this database. How do I set the permissions so that only root can view, modify, delete tables or data in this database? Thanks in advance, kaz _ Join the world's largest e-mail service with MSN Hotmail. http://www.hotmail.com - Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail [EMAIL PROTECTED] To unsubscribe, e-mail [EMAIL PROTECTED] Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php - Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail [EMAIL PROTECTED] To unsubscribe, e-mail [EMAIL PROTECTED] Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
RE: MySQL Security w/ PHP
Hi! On Oct 28, Kevin Maynard wrote: I have been building an extensive dB with MySQL for a large Insurance Company and am nearing the completion stage. I have build several PHP forms to show the preliminary pages to the various groups who will be using this dB. I have created the sign-in page where each user has types in their ID and PW. From then on each query uses those variables for credentials. To avoid duplication, I would like to use the USER form from the MySQL dB. You shouldn't do it. These table is used by mysql server internally, and shouldn't be accessed directly. To modify this user table one should use GRANT and REVOKE statements. To read it - SHOW GRANTS. (actually, it can be accessed directly, but ONLY if you're know what you're doing. It looks like you aren't) Since that uses the Password(PW) function, I can't seem to get my validation query to work properly. For example: SELECT User,Password from user where (User=$ID AND Password=$PW); Result: Empty Set. SELECT User,Password from user where (User=$ID AND Password($PW)); Result: Will match User only, will accept ANY PW. SELECT User,Password from user where (User=$ID AND Password=PASSWORD($PW)); Does anyone know how to properly check off the PW from the User table in the MySQL db? The proper way is not to use system tables, and mysql db in general. Create your own database, and User table in it. And, the last, you'd better use MD5() instead of PASSWORD(). Another good reason not to do this: At startup, mysqld reads all privileges for all users into memory - and they stay there whether or not those people log in. Seems to be a pretty stupid way of using up your RAM. Add to that the time spent by MySQL checking permissions for one in thousands of users for every single query - ugh... / Carsten -- Carsten H. Pedersen keeper and maintainer of the bitbybit.dk MySQL FAQ http://www.bitbybit.dk/mysqlfaq - Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail [EMAIL PROTECTED] To unsubscribe, e-mail [EMAIL PROTECTED] Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
MySQL Security w/ PHP
I have been building an extensive dB with MySQL for a large Insurance Company and am nearing the completion stage. I have build several PHP forms to show the preliminary pages to the various groups who will be using this dB. I have created the sign-in page where each user has types in their ID and PW. From then on each query uses those variables for credentials. To avoid duplication, I would like to use the USER form from the MySQL dB. Since that uses the Password(PW) function, I can't seem to get my validation query to work properly. For example: SELECT User,Password from user where (User=$ID AND Password=$PW); Result: Empty Set. SELECT User,Password from user where (User=$ID AND Password($PW)); Result: Will match User only, will accept ANY PW. Does anyone know how to properly check off the PW from the User table in the MySQL db? Thanks, Kevin - Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail [EMAIL PROTECTED] To unsubscribe, e-mail [EMAIL PROTECTED] Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
RE: MySQL Security w/ PHP
Have you tried something like SELECT User,Password from user where (User=$ID AND Password($PW)=password); ie. equate the result of password(string) to the stored, encrypted, password Regards Quentin -Original Message- From: Kevin Maynard [mailto:[EMAIL PROTECTED]] Sent: Monday, 29 October 2001 11:52 a.m. To: [EMAIL PROTECTED] Subject: MySQL Security w/ PHP I have been building an extensive dB with MySQL for a large Insurance Company and am nearing the completion stage. I have build several PHP forms to show the preliminary pages to the various groups who will be using this dB. I have created the sign-in page where each user has types in their ID and PW. From then on each query uses those variables for credentials. To avoid duplication, I would like to use the USER form from the MySQL dB. Since that uses the Password(PW) function, I can't seem to get my validation query to work properly. For example: SELECT User,Password from user where (User=$ID AND Password=$PW); Result: Empty Set. SELECT User,Password from user where (User=$ID AND Password($PW)); Result: Will match User only, will accept ANY PW. Does anyone know how to properly check off the PW from the User table in the MySQL db? Thanks, Kevin - Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail [EMAIL PROTECTED] To unsubscribe, e-mail [EMAIL PROTECTED] Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php The information contained in this email is privileged and confidential and intended for the addressee only. If you are not the intended recipient, you are asked to respect that confidentiality and not disclose, copy or make use of its contents. If received in error you are asked to destroy this email and contact the sender immediately. Your assistance is appreciated. - Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail [EMAIL PROTECTED] To unsubscribe, e-mail [EMAIL PROTECTED] Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
Re: MySQL Security w/ PHP
Hi! On Oct 28, Kevin Maynard wrote: I have been building an extensive dB with MySQL for a large Insurance Company and am nearing the completion stage. I have build several PHP forms to show the preliminary pages to the various groups who will be using this dB. I have created the sign-in page where each user has types in their ID and PW. From then on each query uses those variables for credentials. To avoid duplication, I would like to use the USER form from the MySQL dB. You shouldn't do it. These table is used by mysql server internally, and shouldn't be accessed directly. To modify this user table one should use GRANT and REVOKE statements. To read it - SHOW GRANTS. (actually, it can be accessed directly, but ONLY if you're know what you're doing. It looks like you aren't) Since that uses the Password(PW) function, I can't seem to get my validation query to work properly. For example: SELECT User,Password from user where (User=$ID AND Password=$PW); Result: Empty Set. SELECT User,Password from user where (User=$ID AND Password($PW)); Result: Will match User only, will accept ANY PW. SELECT User,Password from user where (User=$ID AND Password=PASSWORD($PW)); Does anyone know how to properly check off the PW from the User table in the MySQL db? The proper way is not to use system tables, and mysql db in general. Create your own database, and User table in it. And, the last, you'd better use MD5() instead of PASSWORD(). Regards, Sergei -- MySQL Development Team __ ___ ___ __ / |/ /_ __/ __/ __ \/ / Sergei Golubchik [EMAIL PROTECTED] / /|_/ / // /\ \/ /_/ / /__ MySQL AB, http://www.mysql.com/ /_/ /_/\_, /___/\___\_\___/ Osnabrueck, Germany ___/ - Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail [EMAIL PROTECTED] To unsubscribe, e-mail [EMAIL PROTECTED] Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
Mysql Security
Hello Is it possible to authenticate a user running mysql client by comparing the unix username($LOGNAME) with the user table in mysql.It seems more secure than specifying the authenticaton parameters in a configuation file or along with the client. Thanks Sachin - Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail [EMAIL PROTECTED] To unsubscribe, e-mail [EMAIL PROTECTED] Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
Mysql Security
Hello my friend, shure its possible! additional you can insert into the user table of mysql the encryptet Password-Hash of your local etc.shadow-Phile to verify the correct Password and authenticate the the user. Hope it helps Christian sachin shetty wrote: Hello Is it possible to authenticate a user running mysql client by comparing the unix username($LOGNAME) with the user table in mysql.It seems more secure than specifying the authenticaton parameters in a configuation file or along with the client. Thanks Sachin - Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] To unsubscribe, e-mail [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php - Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail [EMAIL PROTECTED] To unsubscribe, e-mail [EMAIL PROTECTED] Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
Re: Mysql Security (fwd)
-- Forwarded message -- Date: Thu, 26 Jul 2001 13:15:06 -0400 (EDT) From: sachin shetty [EMAIL PROTECTED] To: Christian Grimm [EMAIL PROTECTED] Subject: Re: Mysql Security Thanks Christian But when a user connects to the server isnt it mandatory to specify the password?. Is it possible to authenticate the user by only his unix username.The fact that he has logged on should not require him to specify password again. Thanks again - Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail [EMAIL PROTECTED] To unsubscribe, e-mail [EMAIL PROTECTED] Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
Re: Mysql Security (fwd)
The fact that he has logged on should not require him to specify password again. This fact means: when a user is logged in, he is allowed to use the mysql-server: use this one:( every logged -on -user on localhost has all rights to every base and table without pw) GRANT USAGE ON *.* TO %@localhost IDENTIFIED BY ; Hope thats the right one... ;-) Christian - Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail [EMAIL PROTECTED] To unsubscribe, e-mail [EMAIL PROTECTED] Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
RE: MySQL security settings
I installed MySQL on Windows NT. Currently, I login in using annoyomous user. I can't seem to login in as root user. The syntax is : mysql -u root -p xxx It's seems funny as I can see the root password in the MySQL database -- user table. Any help ? Nyon
Re: MySQL Security
Apache can be set to run your cgi as you user which means that it could be set world unreadable I think. On Wed, 4 Apr 2001, Taing Nguon wrote: Date: Wed, 4 Apr 2001 07:14:33 +0700 From: Taing Nguon [EMAIL PROTECTED] To: "William R. Mussatto" [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: MySQL Security Make sure that the files are not world readable. In Linux system, In order to run CGI in PERL script, that perl script must be 755. It is read by any users and Perl is written in text format, so Its is easy to know user and password of MYSQL. How do you think about this?Need More HELP Million of thanks Regards Taing Nguon On Tue, 3 Apr 2001, Taing Nguon wrote: Date: Tue, 3 Apr 2001 09:52:30 +0700 From: Taing Nguon [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: MySQL Security Dear sir or madam MySQL user's account is not related to user's account on Linux = System, so they can be different. My problem is that I use perl DBI to interact MySQL server as belows: -- use DBI; $dbh =3D DBI-connect("DBI:mysql:DatabaseName","$user","$password"); --- So $user and $password can be known by any users in Linux system because = they are written in text format and DataBase can be changed or updated = by other users in Linux system easily by using Perl DBI. Is there any = way to prevent Database from being changed? Millon of thanks Regards Taing Nguon Sincerely, William Mussatto, Senior Systems Engineer CyberStrategies, Inc ph. 909-920-9154 ext. 27 - Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail [EMAIL PROTECTED] To unsubscribe, e-mail [EMAIL PROTECTED] Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php Sincerely, William Mussatto, Senior Systems Engineer CyberStrategies, Inc ph. 909-920-9154 ext. 27 - Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail [EMAIL PROTECTED] To unsubscribe, e-mail [EMAIL PROTECTED] Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
Re: MySQL Security
Make sure that the files are not world readable. On Tue, 3 Apr 2001, Taing Nguon wrote: Date: Tue, 3 Apr 2001 09:52:30 +0700 From: Taing Nguon [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: MySQL Security Dear sir or madam MySQL user's account is not related to user's account on Linux = System, so they can be different. My problem is that I use perl DBI to interact MySQL server as belows: -- use DBI; $dbh =3D DBI-connect("DBI:mysql:DatabaseName","$user","$password"); --- So $user and $password can be known by any users in Linux system because = they are written in text format and DataBase can be changed or updated = by other users in Linux system easily by using Perl DBI. Is there any = way to prevent Database from being changed? Millon of thanks Regards Taing Nguon Sincerely, William Mussatto, Senior Systems Engineer CyberStrategies, Inc ph. 909-920-9154 ext. 27 - Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail [EMAIL PROTECTED] To unsubscribe, e-mail [EMAIL PROTECTED] Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
Re: MySQL Security
I would think that if the user does not have grant options set on the particular DB in the mysql.db table, then he would not be able to access it using DBI, even if he is a local user. I have already tried to do it by myself. and I found that although any user has no MYSQL user's account, but he can still update data to Mysql Database via perl DBI because they know user and password of MYSQL when your perl code in written in text format?NEED more Help Million of thanks Regards Taing Nguon At 10:52 PM 4/2/01, you wrote: Dear sir or madam MySQL user's account is not related to user's account on Linux System, so they can be different. My problem is that I use perl DBI to interact MySQL server as belows: -- use DBI; $dbh = DBI-connect("DBI:mysql:DatabaseName","$user","$password"); --- So $user and $password can be known by any users in Linux system because they are written in text format and DataBase can be changed or updated by other users in Linux system easily by using Perl DBI. Is there any way to prevent Database from being changed? Millon of thanks Regards Taing Nguon - Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail [EMAIL PROTECTED] To unsubscribe, e-mail [EMAIL PROTECTED] Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
Re: MySQL Security
Make sure that the files are not world readable. In Linux system, In order to run CGI in PERL script, that perl script must be 755. It is read by any users and Perl is written in text format, so Its is easy to know user and password of MYSQL. How do you think about this?Need More HELP Million of thanks Regards Taing Nguon On Tue, 3 Apr 2001, Taing Nguon wrote: Date: Tue, 3 Apr 2001 09:52:30 +0700 From: Taing Nguon [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: MySQL Security Dear sir or madam MySQL user's account is not related to user's account on Linux = System, so they can be different. My problem is that I use perl DBI to interact MySQL server as belows: -- use DBI; $dbh =3D DBI-connect("DBI:mysql:DatabaseName","$user","$password"); --- So $user and $password can be known by any users in Linux system because = they are written in text format and DataBase can be changed or updated = by other users in Linux system easily by using Perl DBI. Is there any = way to prevent Database from being changed? Millon of thanks Regards Taing Nguon Sincerely, William Mussatto, Senior Systems Engineer CyberStrategies, Inc ph. 909-920-9154 ext. 27 - Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail [EMAIL PROTECTED] To unsubscribe, e-mail [EMAIL PROTECTED] Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
Re: MySQL Security
"Taing Nguon" [EMAIL PROTECTED] wrote: Make sure that the files are not world readable. In Linux system, In order to run CGI in PERL script, that perl script must be 755. It is read by any users and Perl is written in text format, so No entirely true. The reason the files are set to 755 on your box is because they are not owned by the same user as that which is running the Apache web daemon - remember most Apache setups (at least the smart ones) have Apache doing a chroot to "nobody" to prevent someone from breaking into your system as root via Apache. -- === "If you put three drops of poison into a 100 percent pure Java, you get - Windows. If you put a few drops of Java into Windows, you still have Windows." -- Sun Microsystems CEO, Scott McNealy __ Get your own FREE, personal Netscape Webmail account today at http://webmail.netscape.com/ - Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail [EMAIL PROTECTED] To unsubscribe, e-mail [EMAIL PROTECTED] Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
Re: MySQL Security
Taing Nguon wrote: Make sure that the files are not world readable. In Linux system, In order to run CGI in PERL script, that perl script must be 755. It is read by any users and Perl is written in text format, so Its is easy to know user and password of MYSQL. How do you think about this?Need More HELP Million of thanks Regards Taing Nguon Taing: Reread my last post. And, if not, step-by-step: In httpd.conf # Run web-server as this user User www chown www.www /www -Rf chmod 0750 /www chmod o-rwx /www -Rf Done. Now, you're perl scripts will run as user www and nobody on the system will be able to read the perl scripts unless you add them to the www group. Something tells me you won't. Regards, Van -- = Linux rocks!!! http://www.dedserius.com = - Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail [EMAIL PROTECTED] To unsubscribe, e-mail [EMAIL PROTECTED] Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
MySQL Security
Dear sir or madam MySQL user's account is not related to user's account on Linux System, so they can be different. My problem is that I use perl DBI to interact MySQL server as belows: -- use DBI; $dbh = DBI-connect("DBI:mysql:DatabaseName","$user","$password"); --- So $user and $password can be known by any users in Linux system because they are written in text format and DataBase can be changed or updated by other users in Linux system easily by using Perl DBI. Is there any way to prevent Database from being changed? Millon of thanks Regards Taing Nguon
Re: MySQL Security
Taing Nguon wrote: Dear sir or madam MySQL user's account is not related to user's account on Linux System, so they can be different. My problem is that I use perl DBI to interact MySQL server as belows: -- use DBI; $dbh = DBI-connect("DBI:mysql:DatabaseName","$user","$password"); --- So $user and $password can be known by any users in Linux system because they are written in text format and DataBase can be changed or updated by other users in Linux system easily by using Perl DBI. Is there any way to prevent Database from being changed? Millon of thanks Regards Taing Nguon Taing: I use php3 to do my apps for web applications and chown the /www/ files to www.www and chmod them to 0750 with the server running as user www. This prevents any users from viewing the source code: i.e. the /www/ files that contain your perl scripts. This might be an option for you if the perl user can run as www.www and you can run those perl scripts as user www within the web context. This is just how I do it, but, others might have different implementations. Best Regards, Van -- = Linux rocks!!! http://www.dedserius.com = - Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail [EMAIL PROTECTED] To unsubscribe, e-mail [EMAIL PROTECTED] Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
Re : mysql security issue, overflow
Sergei Golubchik a crit : Hi! On Jan 12, Joo Gouveia wrote: Hi, I believe i've found a problem in MySql. Here are some test's i've made in 3.22.27 x86( also tested on v3.22.32 - latest stable, although i didn't debug it, just tested to see if crashes ). Confirmed up to latest 3.23 This will be fixed ASAP! Is it fixed now ? Is there a patch available ? Please give us info, our servers are in the wild Nicob - Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail [EMAIL PROTECTED] To unsubscribe, e-mail [EMAIL PROTECTED] Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
Re: mysql security issue
Hi! On Jan 15, Nicolas GREGOIRE wrote: Sergei Golubchik a Ucrit : Hi! On Jan 12, JoUo Gouveia wrote: Hi, I believe i've found a problem in MySql. Here are some test's i've made in 3.22.27 x86( also tested on v3.22.32 - latest stable, although i didn't debug it, just tested to see if crashes ). Confirmed up to latest 3.23 This will be fixed ASAP! Is it fixed now ? Is there a patch available ? Please give us info, our servers are in the wild Nicob The new MySQL release with this bug fixed will be available today (probably, in 5-10 hours). Regards, Sergei -- MySQL Development Team __ ___ ___ __ / |/ /_ __/ __/ __ \/ / Sergei Golubchik [EMAIL PROTECTED] / /|_/ / // /\ \/ /_/ / /__ MySQL AB, http://www.mysql.com/ /_/ /_/\_, /___/\___\_\___/ Helsinki, Finland (till Sunday) ___/ - Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail [EMAIL PROTECTED] To unsubscribe, e-mail [EMAIL PROTECTED] Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php