Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Full-Disclosure] MySQL and the user "su"

from [Sascha Wolf] Network Security [Permanent Link]
Subject: Re: [Full-Disclosure] MySQL and the user "su"
Date: Fri, 31 Dec 2004 19:47:02 +0100 
Dear Tom Crimmins,

am Freitag, 31. Dezember 2004 um 17:42 schrieben Sie:


[snip]
I have today determined that I can connect to a local MySQL-server per
 "mysql -usu".  I regard that to error, can that someone confirm?
[/snip]



This is not an error. You should by default be able to connect with any user
from localhost, but you will not have privileges to do anything else. This
is because the mysql install by default sets up permissions this way. You
could verify this yourself by connecting as root, and executing the
following query:



SELECT * FROM mysql.user;



The row that applies in this case is the one with Host='localhost' and
User=''. You can delete this row if you do not want this behavior. You must
do a "flush privileges;" after deleting the row.



---
Tom Crimmins
Interface Specialist
Pottawattamie County, Iowa


Ok one if I the user deletes, I can't no more connection.  But for what MySQL 
puts
on this user at all, if he is not used?

I think that is a securitybug to be evaluated.

-- 
Mit freundlichen Grüßen
Sascha Wolf
mailto:swolf@x-project.net

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Full-Disclosure] /bin/rm file access vulnerability, bkfsec
Next by Date:  Re: [Full-Disclosure] /bin/rm file access vulnerability, Frank Knobbe
Previous by Thread:  Re: [Full-Disclosure] MySQL and the user "su", Kristian Koehntopp
Next by Thread:  RE: [Full-Disclosure] MySQL and the user "su", Tom Crimmins
Indexes:  [Date] [Thread] [Top] [All Lists]