Bom dia, Gustavo,
I am not in a position to comment nor to verify your warning. However, I am
pretty annoyed by the way you make it public to the world. Unless I missed
something here, but when someone discovers a security hole in any program,
it's common standard to contact the manufacturer immediately, directly and
offlist and give him a chance to comment and/or release a patch within a
reasonable timeframe. If then, after a couple of weeks, you didn't get any
response from the manfacturer, you should go public. I don't know if you did
that, if you did I apologize and ask to ignore this message.
Just imagine what doors you might open to hackers and vandals who always
monitor these lists. (Where else could they get inspiration and necessary
info for their sick minds???)! A major security bug could threaten thousands
of sites all over the world. Responsible and fair handling is a must.
Obrigado.
Markus Gieppner
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Sunday, April 29, 2001 11:13 AM
To: [EMAIL PROTECTED]
Subject: Ordinary users can crash mysql server
>Description:
When a ordinary users tries to analyze bin log using a remote host (-h
ip_address) mysql server daemons crahes.
>How-To-Repeat:
Just use mysqlbinlog to analyze a remote host binlog.
mysql -h ip_address -u user -p pass file
For instance (My environment):
shell> mysql -h 192.168.1.11 -u awp -p root etosha-bin.001
>Fix:
I lack the required level of expertise to fix it, sorry!
>Submitter-Id: <submitter ID>
>Originator: Gustavo Rios
>Organization: Ifour Sistemas
>MySQL support: [none]
>Synopsis:
>Severity: [ critical ]
>Priority: [ high ]
>Category: mysql
>Class:
>Release: mysql-3.23.37 (Source distribution)
>Server: /usr/local/bin/mysqladmin Ver 8.19 Distrib 3.23.37, for
unknown-freebsdelf4.3 on i386
Copyright (C) 2000 MySQL AB & MySQL Finland AB & TCX DataKonsult AB
This software comes with ABSOLUTELY NO WARRANTY. This is free software,
and you are welcome to modify and redistribute it under the GPL license
Server version 3.23.37-log
Protocol version 10
Connection Localhost via UNIX socket
UNIX socket /tmp/mysql.sock
Uptime: 1 hour 49 min 17 sec
Threads: 1 Questions: 10 Slow queries: 0 Opens: 10 Flush tables: 1 Open
tables: 4 Queries per second avg: 0.002
>Environment:
System: FreeBSD etosha.ifour.com.br 4.3-STABLE FreeBSD 4.3-STABLE #0: Fri
Apr 27 13:46:06 GMT 2001
[EMAIL PROTECTED]:/usr/obj/usr/src/sys/ETOSHA i386
Some paths: /usr/bin/perl /usr/bin/make /usr/local/bin/gmake /usr/bin/gcc
/usr/bin/cc
GCC: Using builtin specs.
gcc version 2.95.3 [FreeBSD] 20010315 (release)
Compilation info: CC='gcc' CFLAGS='' CXX='gcc'
CXXFLAGS='-felide-constructors -fno-exceptions -fno-rtti' LDFLAGS=''
LIBC:
-r--r--r-- 1 root wheel 1174494 Apr 27 13:26 /usr/lib/libc.a
lrwxr-xr-x 1 root wheel 9 Apr 27 13:26 /usr/lib/libc.so -> libc.so.4
-r--r--r-- 1 root wheel 561548 Apr 27 13:26 /usr/lib/libc.so.4
Configure command:
./configure --without-perl --without-debug --with-mit-threads=no --with-lib
wrap --with-charset=latin1 --with-extra-charsets=none --enable-assembler --w
ith-berkeley-db --with-innodb --localstatedir=/var/db/mysql
Perl: This is perl, version 5.005_03 built for i386-freebsd
---------------------------------------------------------------------
Before posting, please check:
http://www.mysql.com/manual.php (the manual)
http://lists.mysql.com/ (the list archive)
To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
---------------------------------------------------------------------
Before posting, please check:
http://www.mysql.com/manual.php (the manual)
http://lists.mysql.com/ (the list archive)
To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
