>>>>> "Viktor" == Viktor Fougstedt <viktor@stripped> writes:
Viktor> On Tue, 11 Jan 2000 elble@stripped wrote:
>> FYI, since i didn't see it cc'ed to the mysql list,
>> this previously discussed problem was posted to bugtraq
>> earlier today...
Viktor> Sorry! Forgot to cc the mysql-list. I am very embarrased about that.
Viktor> Let me explain why I chose to post to bugtraq at this time.
Viktor> I am not keen on posting to bugtraq without there being a finished
Viktor> fix, with ready-to-download packages without the bug. But since I had
Viktor> already posted to this list, with a complete cookbook exploit and
Viktor> everything (my original bugreport contained a 'how to
Viktor> replicate'-section), I thought it best to warn as many as possible
Viktor> that any malicious user reading the mysql-list could already gain
Viktor> mysql-root on any default MySQL installation.
Viktor> If this was not known to the 'cracker' community before my initial
Viktor> bugreport to this list, it was afterwards. Posting to bugtraq
Viktor> therefore did not severely worsen the situation, but rather gave
Viktor> security-aware sysadmins the possibility to protect themselves from an
Viktor> attack they might not have been aware of.
I agree; As this bug is easy to avoid by just removing GRANT
privileges from everyone except root, its just good to gets some
attention so people can protect themselves.