List:General Discussion« Previous MessageNext Message »
From:Michael Widenius Date:January 12 2000 3:01am
Subject:Re: Serious bug in MySQL password handling. (fwd)
View as plain text  
>>>>> "Viktor" == Viktor Fougstedt <viktor@stripped> writes:

Viktor> On Tue, 11 Jan 2000 elble@stripped wrote:
>> FYI, since i didn't see it cc'ed to the mysql list, 
>> this previously discussed problem was posted to bugtraq 
>> earlier today...
>> 

Viktor> Sorry! Forgot to cc the mysql-list. I am very embarrased about that.

Viktor> Let me explain why I chose to post to bugtraq at this time.

Viktor> I am not keen on posting to bugtraq without there being a finished
Viktor> fix, with ready-to-download packages without the bug. But since I had
Viktor> already posted to this list, with a complete cookbook exploit and
Viktor> everything (my original bugreport contained a 'how to
Viktor> replicate'-section), I thought it best to warn as many as possible
Viktor> that any malicious user reading the mysql-list could already gain
Viktor> mysql-root on any default MySQL installation.

Viktor> If this was not known to the 'cracker' community before my initial
Viktor> bugreport to this list, it was afterwards. Posting to bugtraq
Viktor> therefore did not severely worsen the situation, but rather gave
Viktor> security-aware sysadmins the possibility to protect themselves from an
Viktor> attack they might not have been aware of.

I agree;  As this bug is easy to avoid by just removing GRANT
privileges from everyone except root, its just good to gets some
attention so people can protect themselves.

Regards,
Monty
Thread
Serious bug in MySQL password handling. (fwd)elble11 Jan
  • Re: Serious bug in MySQL password handling. (fwd)Sasha Pachev12 Jan
  • Re: Serious bug in MySQL password handling. (fwd)Viktor Fougstedt12 Jan
    • Re: Serious bug in MySQL password handling. (fwd)Michael Widenius12 Jan