List:General Discussion« Previous MessageNext Message »
From:Paul DuBois Date:March 24 2003 5:21pm
Subject:RE: disabling version number
View as plain text  
At 11:02 -0600 3/24/03, Jeremy Tinley wrote:
>Authorized != trusted.
>
>If you're a hosting provider who allows access to MySQL for customers, your
>users have access to see the version number by way of simply connecting to
>their own database. Not that "mysql --version" from a shell doesn't give you
>the same thing...

In fact, it may not give you the same thing.  There is no guarantee that
any client program comes from the same distribution as the server.

>  but paying for a low end account, finding the version
>number the host is running and finding an exploit for that version would
>probably be what the original poster had in mind of preventing.
>
>
>
>-----Original Message-----
>From: Joseph Bueno [mailto:joseph.bueno@stripped]
>Sent: Monday, March 24, 2003 10:39 AM
>To: Florian Effenberger
>Cc: mysql@stripped
>Subject: Re: disabling version number
>
>Florian Effenberger wrote:
>>>No, why?
>>
>>
>>  Part of my security concept, I generally disable all version numbers.
>>
>>
>You can patch mysql source and recompile ;)
>
>However, if someone has enough access rights on your system to run
>"select version();", showing mysql version number should be the least
>important of your problems.
>
>Regards,
>Joseph Bueno


-- 
Paul DuBois
http://www.kitebird.com/
sql, query
Thread
disabling version numberFlorian Effenberger24 Mar
  • Re: disabling version numberPaul DuBois24 Mar
  • Re: disabling version numberFlorian Effenberger24 Mar
    • Re: disabling version numberJoseph Bueno24 Mar
      • RE: disabling version numberJeremy Tinley24 Mar
        • RE: disabling version numberPaul DuBois24 Mar
        • RE: disabling version numberKeith C. Ivey24 Mar
      • RE: disabling version numberAdam Nelson24 Mar
        • RE: disabling version numberPaul DuBois24 Mar
  • Re: disabling version numberFlorian Effenberger24 Mar