Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Bugtraq> 1998_1

Bugtraq archives for 1st quarter (Jan-Mar) 1998: Re: MySQL Security

Re: MySQL Security

Aleph One (aleph1DFW.NET)
Sun, 29 Mar 1998 03:31:17 -0600

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: whiz: "Eudora Pro 4.0 attachment/long filename problem"
Previous message: Sandu Mihai: "MySQL Security"
In reply to: Sandu Mihai: "MySQL Security"
Next in thread: Michael Widenius: "mysql: MySQL Security"

On Sun, 29 Mar 1998, Sandu Mihai wrote:

> When you use a certain mysql configuration it is possible to create
> files on the system as root with rw-rw-rw.
> Many MySQL users have included user root from localhost without password
> in their config.
> So. If on such a system you issue :
> mysql -u root test
> you not only will have access to the database but you'll be able to
> create a file on the system with the root
> ownership and rw-rw-rw useing the SELECT .. INTO OUTFILE  statement.

This is a configuration problem. It can be easily solved by adding a
password and/or changing the file_priv column to 'N' for this user in the
user table in the mysql database. Nonetheless is advisable for people
running mySQL to check their configuration for any users with file_priv
that should not have it.

Aleph One / aleph1dfw.net
http://underground.org/
KeyID 1024/948FD6B5
Fingerprint EE C9 E8 AA CB AF 09 61  8C 39 EA 47 A8 6A B8 01

Next message: whiz: "Eudora Pro 4.0 attachment/long filename problem"
Previous message: Sandu Mihai: "MySQL Security"
In reply to: Sandu Mihai: "MySQL Security"
Next in thread: Michael Widenius: "mysql: MySQL Security"