|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
mSQL vulnerability.
Christofer C. Bell (cbell
ATLAS.UNION.UKANS.EDU)Wed, 17 Feb 1999 10:00:29 -0600
- Messages sorted by: [ date ][ thread ][ subject ][ author ]
- Next message: Larry W. Cashdollar: "snap utility for AIX."
- Previous message: der Mouse: "Re: ISSalert: ISS Security Advisory: Buffer Overflow in "Super""
- Next in thread: John W. Temples: "Re: mSQL vulnerability."
I'd like to point out that mSQL by default (all versions) DO NOT have
hosts based access control enabled. Note that when you start the msql2d
process for the first time, you see this message:
Mini SQL Version 2.0.7 Copyright (c) 1993-94 David J. Hughes Copyright (c)
1995-99 Hughes Technologies Pty Ltd. All rights reserved.
Loading configuration from '/usr/local/Hughes/msql.conf'.
Server process reconfigured to accept 200 connections.
Server running as user 'msql'.
Server mode is Read/Write.
Warning : No ACL file. Using global read/write access.
The "Warning:" is the important part. Even if you use the provided
msql.acl.sample file as your acl file, the permissions are as follows:
database=test
read=bambi,-root
write=root
host=*
access=local,remote
option=rfc931
database=minerva
read=*
write=minerva
access=local
This sets up some form of access restrictions on databases 'test' and
'minerva' but not on any databases YOU create. Please make sure to edit
this file and use host based security.
--
Christofer C. Bell Systems Analyst
OSSC - Systems Management email: cbellinetdb.com
Sprint Communications phone: 913-534-2535
- Next message: Larry W. Cashdollar: "snap utility for AIX."
- Previous message: der Mouse: "Re: ISSalert: ISS Security Advisory: Buffer Overflow in "Super""
- Next in thread: John W. Temples: "Re: mSQL vulnerability."