Hi,
What brad notes is only half true - at least on my 3.22.32 and I suspect that
on his system doing
mysql -u mickeymouse-p
will work just as well. The test is to then try and USE the mysql db as
follows. First a legitimate root access
mysql -u root -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 4776 to server version: 3.22.32
Type 'help' for help.
mysql> use mysql
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
mysql> Bye
Now Brad's access:
mysql -u root-p
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 4777 to server version: 3.22.32
Type 'help' for help.
mysql> use mysql
ERROR 1044: Access denied for user: '@localhost' to database 'mysql'
mysql> Bye
Apologies for copying to the Bugs list but merited in this case I believe, and
please correct me if there is indeed a risk here but I believe there not to be.
Nick
On Tue, May 30, 2000 at 05:48:24PM -0400, Brad Johnson wrote:
> I'm using mysql 3.22.32 on Linux 2.2.14 kernel, and I believe that I've found
> a major problem.
>
> If, at the command line, I type
>
> $ mysql -u root -p
>
> I get a password prompt, just like I should. However, if I type
>
> $ mysql -u root-p
>
> without the space after the "root," it lets me right in. I can do this as
> any user, and I can repeat it over and over. This seems to be a serious
> vulnerability.
>
> Brad Johnson
> UNIX Systems Administrator
> Trivergent Communications, INC.
>
>
> ---------------------------------------------------------------------
> Please check "http://www.mysql.com/Manual_chapter/manual_toc.html" before
> posting. To request this thread, e-mail bugs-thread165@stripped
>
> To unsubscribe, send a message to the address shown in the
> List-Unsubscribe header of this message. If you cannot see it,
> e-mail bugs-unsubscribe@stripped instead.
