[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <200405181946.24447.fulldisc@ultratux.org>
From: fulldisc at ultratux.org (Maarten)
Subject: User bypass privs for Mysql??
On Tuesday 18 May 2004 18:24, Esler, Joel - Contractor wrote:
> I did not have the grant priv, I had select, insert on mysql db. (I did
> log in as a different user --i.e. not root) Using MysqlCC I changed the
> Grant field from N to Y, and then could grand myself all privs to every
> database.
>
> Of course, I did have select, insert on mysql.. probably why huh?
I'm not a mysql guru but... yes. That would be akin to disallowing the use of
'chsh' and 'chfn' but in the meantime having /etc/passwd world-writeable...
Maarten
> -----Original Message-----
> From: Ben Nelson [mailto:lists@...om600.org]
> Sent: Tuesday, May 18, 2004 11:48 AM
> To: Esler, Joel - Contractor
> Cc: full-disclosure@...ts.netsys.com
> Subject: Re: [Full-Disclosure] User bypass privs for Mysql??
>
> What permissions DID you have prior to editing your grants. How did you
> edit the grant (i.e. update user set Grant_priv = 'Y' where user =
> 'floobie' ). What version of mysql? Did you log in as yourself to edit
> the grants, or as another user? Also, you say you edited your 'Grant'
> from N to Y and then you instantly had all privs? Or did you edit you
> Grant from N to Y and then go grant yourself all privs?
>
> More information please.
>
> --Ben
>
> Esler, Joel - Contractor wrote:
> | Not having any grant permissions. I went into the mysql/user table
>
> and
>
> | edited the Grant from N to Y. Logged out and logged back in, and I
>
> had
>
> | full privs including Grant. I shouldn't be able to do this...
> |
> | Joel
> |
> | _______________________________________________
> | Full-Disclosure - We believe in it.
> | Charter: http://lists.netsys.com/full-disclosure-charter.html
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists