Hi.
Unfortunatly, again you don't answer to my mail, but only to a side
comment I made. :-(
On Wed, Mar 21, 2001 at 03:37:45PM +0200, [EMAIL PROTECTED] wrote:
> Benjamin Pflugmann writes:
> > Hi.
> <cut>
> > Of course, that why I was explicitly talking about the fact, that the
> > user needs CREATE privileges (FILE privileges are not needed, If I am
> > not mistaken).
>
> First of all, it is easy to reproduce a test case.
Sorry, but I don't understand what you refer to.
> Second, that FILE privilege I was citing is there because of SELECT ..
> INTO OUTFILE ... I thought that you would understand that.
Oh. We are getting personally?
<RANT>Sorry, that I tried to help to improve a great product.</RANT>
Does that mean you already verified that SELECT ... INTO OUTFILE is
vulnarable, too, or is this just an assumption?
> Regarding shadow file, I can crack it in 15 minutes, if I had the
> interest, but I have no such interests.
Yes, I already acknowledged in a part of my mail you decided not
to quote, that someone in the know will find a way.
> And I did it only on my own computer once 4 years ago.
>
> A CGI script that could be talked to executing ln -s ....
>
> That is a bit far fetched.
>
> Any scenario that involves shell access (or funny CGI scripts) or
> similar, can not be considered as MySQL security flaw.
Well, that depends. IMO, this is a security flaw, because you can get
MySQL to do something it should IMO not do.
I already agreed (again, in a part of my last mail you did not quote)
that there is room to argue about the probability that someone has to
environment to use it.
Nevertheless, you agree that this behaviour is not intended and should
/ will be fixed?
Bye,
Benjamin.
---------------------------------------------------------------------
Before posting, please check:
http://www.mysql.com/manual.php (the manual)
http://lists.mysql.com/ (the list archive)
To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
