At 11:02 -0600 3/24/03, Jeremy Tinley wrote:
>Authorized != trusted.
>
>If you're a hosting provider who allows access to MySQL for customers, your
>users have access to see the version number by way of simply connecting to
>their own database. Not that "mysql --version" from a shell doesn't give you
>the same thing...
In fact, it may not give you the same thing. There is no guarantee that
any client program comes from the same distribution as the server.
> but paying for a low end account, finding the version
>number the host is running and finding an exploit for that version would
>probably be what the original poster had in mind of preventing.
>
>
>
>-----Original Message-----
>From: Joseph Bueno [mailto:joseph.bueno@stripped]
>Sent: Monday, March 24, 2003 10:39 AM
>To: Florian Effenberger
>Cc: mysql@stripped
>Subject: Re: disabling version number
>
>Florian Effenberger wrote:
>>>No, why?
>>
>>
>> Part of my security concept, I generally disable all version numbers.
>>
>>
>You can patch mysql source and recompile ;)
>
>However, if someone has enough access rights on your system to run
>"select version();", showing mysql version number should be the least
>important of your problems.
>
>Regards,
>Joseph Bueno
--
Paul DuBois
http://www.kitebird.com/
sql, query
