[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <5.1.0.14.2.20030915162305.034c6e78@yoshimo.webtechs.idg.nl>
From: msopacua at idg.nl (Melvyn Sopacua)
Subject: Mysql 3.23.x/4.0.x Remote Root Exploit
At 15:16 14-9-2003, Jedi/Sector One wrote:
>On Sun, Sep 14, 2003 at 05:59:59AM -0700, Elv1S wrote:
> > http://www.k-otik.com/exploits/09.14.mysql.c.php
> > don't know if this vuln is patched ?
>
> Yes, just upgrade MySQL to 4.0.15 or apply the small patch posted in the
>advisory.
Actually - there's a very simple work-around, based upon the age old "chicken
and egg principle":
In order to exploit this bug, you need to have ALTER privileges on the
mysql.user table.
Just grant that privilege only to a trusted *local* account (say 'root') and
you're home free. Make sure only trusted persons know that password and don't
store it anywhere digitally (remember to remove ~/.mysql_history after
changing the password).
Met vriendelijke groeten / With kind regards,
Webmaster IDG.nl
Melvyn Sopacua
Powered by blists - more mailing lists