List:General Discussion« Previous MessageNext Message »
From:Daevid Vincent Date:November 14 2010 9:22pm
Subject:RE: FW: [USN-1017-1] MySQL vulnerabilities
View as plain text  
I don't think you understand how many exploits work. Through some social
engineering or plain brute force or rainbow tables I can get the user/pass
for many typical users. I could also give you some code and tell you to run
it and thereby my code is executed as an "authenticated user" without you
even knowing it. And here's another statistic you might not be aware of --
most "hacking" attempts are done BY people INSIDE a company, not external to
it. It's extremely foolish and short-sighted to think that your system is
safe unless it's in a "glass jar" and YOU are the ONLY user on it. Even
then, YOUR account could be compromised too.

-----Original Message-----
From: Jan Steinman [mailto:Jan@stripped] 
Sent: Saturday, November 13, 2010 1:33 PM
To: mysql@stripped
Subject: RE: FW: [USN-1017-1] MySQL vulnerabilities

> From: "Daevid Vincent" <daevid@stripped>
> 
> my point exactly. there is NONE. and if you don't patch your mysql as
> needed, then you will need a lot more help when you're hacked. ;-p

I note that the impact of every single one of these vulnerabilities was "An
authenticated user could exploit this to make MySQL crash, causing a denial
of service."

That's a pretty low threat level. No mention was made of gaining or
increasing access, nor of corrupting data.

First, you need an "authenticated user" who is trying to "exploit" a
vulnerability to cause "denial of service."

If you're allowing a publicly accessible pseudo-user to exploit such
vulnerabilities through script injection, that's YOUR problem!

If an "authenticated user" causes a "MySQL crash" on my system, they get
de-authenticated pretty quickly. :-)

----------------
No rational person can see how using up the topsoil or the fossil fuels as
quickly as possible can provide greater security for the future, but if
enough wealth and power can conjure up the audacity to say that it can, then
sheer fantasy is given the force of truth; the future becomes reckonable as
even the past has never been. -- Wendell Berry
:::: Jan Steinman, EcoReality Co-op ::::


-- 
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe:    http://lists.mysql.com/mysql?unsub=1

Thread
FW: [USN-1017-1] MySQL vulnerabilitiesDaevid Vincent12 Nov
  • Re: FW: [USN-1017-1] MySQL vulnerabilitiesJohan De Meersman12 Nov
    • RE: FW: [USN-1017-1] MySQL vulnerabilitiesDaevid Vincent12 Nov
      • Re: FW: [USN-1017-1] MySQL vulnerabilitiesGael12 Nov
        • Re: FW: [USN-1017-1] MySQL vulnerabilitiesRob Wultsch13 Nov
RE: FW: [USN-1017-1] MySQL vulnerabilitiesJan Steinman13 Nov
  • RE: FW: [USN-1017-1] MySQL vulnerabilitiesDaevid Vincent14 Nov
    • Re: FW: [USN-1017-1] MySQL vulnerabilitiesJohan De Meersman15 Nov
Re: FW: [USN-1017-1] MySQL vulnerabilitiesJan Steinman16 Nov