RE: Ordinary users can crash mysql server

Markus Gieppner Sun, 29 Apr 2001 15:31:45 -0700
Hi Chris,

You should not forget those users who depend greatly on the tech support
(patches) of the manufacturer. Given your expertise and knowledge you might
be able to protect yourself, but not everybody is (as a matter of fact even
Gustavo said he isn't). In addition, to make things worse, today is Sunday,
and given the usual working hours in most countries, there's a very small
chance that someone from AB Konsulting has read this. On the other hand,
quite a number of hobby vandals, who spend their free days looking for
holes, might have found a nice new toy to play with, and Gustavo even
provided the "how-to" .

I agree with you on the first point: If this is a known bug, it has to be
part of the "known-bug-list" and given it's severity, be stated clearly on
the MySQL web site. Crashed server applications often bear the risk of
allowing a hacker to execute his own code, thus making such a bug really
dangerous, especially for web applications.

Your third point is a bit optimistic... Are you really prepared to react
immediately to all known or unknown security risks? If you have 10.000 users
using your application on a daily basis, or if you have 100 sites running
with it, every modification of a core component of your databases requires
good planning and careful handling. On a production server you usually don't
have the freedom to experiment a lot with your home-made patches.

Don't get me wrong, I am not at all opposed to disclosure. This is what
makes programs like MySQL, Linux etc. so powerful and more secure than
closed-source software. Remember the problems with Interbase, or Hotmail
(even better!) or the countless problems on Microsoft programs. It's
indispensable to search for bugs, but again, give the manufacturer at least
a chance to look into a matter before giving hackers a doorway to crash your
machine and worse steal or destroy your data.

Markus Gieppner
MGF International Inc.








-----Original Message-----
From: Chris DiBona [mailto:[EMAIL PROTECTED]]
Sent: Sunday, April 29, 2001 6:08 PM
To: Markus Gieppner
Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: RE: Ordinary users can crash mysql server


I disagree with you markus, and here is why..

1....gustavo probably isn't the only person who has noticed this, so it's
fair to say it's already made the round amongst those who arent so nice.

2....this _is_ the mysql list.

3....this way, people can plan for such a problem and button things up
until a fix is forthcoming.

4....whether he went to the manufacturer or not, I personally am happy
that he posted it, it made me batte ndown a hatch or two.

 Chris

--
Marketing Manager, OSDN Events                |   http://www.osdn.com
Grant Chair, Linux International.             |   http://www.li.org
Co-editor, Open Sources                       |   http://www.dibona.com

On Sun, 29 Apr 2001, Markus Gieppner wrote:

> Bom dia, Gustavo,
>
> I am not in a position to comment nor to verify your warning. However, I
am
> pretty annoyed by the way you make it public to the world. Unless I missed
> something here, but when someone discovers a security hole in any program,
> it's common standard to contact the manufacturer immediately, directly and
> offlist and give him a chance to comment and/or release a patch within a
> reasonable timeframe. If then, after a couple of weeks, you didn't get any
> response from the manfacturer, you should go public. I don't know if you
did
> that, if you did I apologize and ask to ignore this message.
>
> Just imagine what doors you might open to hackers and vandals who always
> monitor these lists. (Where else could they get inspiration and necessary
> info for their sick minds???)! A major security bug could threaten
thousands
> of sites all over the world. Responsible and fair handling is a must.
>
> Obrigado.
>
> Markus Gieppner
>
>
>
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
> Sent: Sunday, April 29, 2001 11:13 AM
> To: [EMAIL PROTECTED]
> Subject: Ordinary users can crash mysql server
>
>
> >Description:
>       When a ordinary users tries to analyze bin log using a remote host (-h
> ip_address) mysql server daemons crahes.
> >How-To-Repeat:
>       Just use mysqlbinlog to analyze a remote host binlog.
>       mysql -h ip_address -u user -p pass file
>
>       For instance (My environment):
>       shell> mysql -h 192.168.1.11 -u awp -p root etosha-bin.001
>
> >Fix:
>       I lack the required level of expertise to fix it, sorry!
>
> >Submitter-Id:        <submitter ID>
> >Originator:  Gustavo Rios
> >Organization:        Ifour Sistemas
>
> >MySQL support: [none]
> >Synopsis:
> >Severity:    [ critical ]
> >Priority:    [ high ]
> >Category:    mysql
> >Class:
> >Release:     mysql-3.23.37 (Source distribution)
> >Server: /usr/local/bin/mysqladmin  Ver 8.19 Distrib 3.23.37, for
> unknown-freebsdelf4.3 on i386
> Copyright (C) 2000 MySQL AB & MySQL Finland AB & TCX DataKonsult AB
> This software comes with ABSOLUTELY NO WARRANTY. This is free software,
> and you are welcome to modify and redistribute it under the GPL license
>
> Server version                3.23.37-log
> Protocol version      10
> Connection            Localhost via UNIX socket
> UNIX socket           /tmp/mysql.sock
> Uptime:                       1 hour 49 min 17 sec
>
> Threads: 1  Questions: 10  Slow queries: 0  Opens: 10  Flush tables: 1
Open
> tables: 4 Queries per second avg: 0.002
> >Environment:
>
> System: FreeBSD etosha.ifour.com.br 4.3-STABLE FreeBSD 4.3-STABLE #0: Fri
> Apr 27 13:46:06 GMT 2001
> [EMAIL PROTECTED]:/usr/obj/usr/src/sys/ETOSHA  i386
>
>
> Some paths:  /usr/bin/perl /usr/bin/make /usr/local/bin/gmake /usr/bin/gcc
> /usr/bin/cc
> GCC: Using builtin specs.
> gcc version 2.95.3 [FreeBSD] 20010315 (release)
> Compilation info: CC='gcc'  CFLAGS=''  CXX='gcc'
> CXXFLAGS='-felide-constructors -fno-exceptions -fno-rtti'  LDFLAGS=''
> LIBC:
> -r--r--r--  1 root  wheel  1174494 Apr 27 13:26 /usr/lib/libc.a
> lrwxr-xr-x  1 root  wheel  9 Apr 27 13:26 /usr/lib/libc.so -> libc.so.4
> -r--r--r--  1 root  wheel  561548 Apr 27 13:26 /usr/lib/libc.so.4
> Configure command:
>
./configure  --without-perl --without-debug --with-mit-threads=no --with-lib
>
wrap --with-charset=latin1 --with-extra-charsets=none --enable-assembler --w
> ith-berkeley-db --with-innodb --localstatedir=/var/db/mysql
> Perl: This is perl, version 5.005_03 built for i386-freebsd
>
> ---------------------------------------------------------------------
> Before posting, please check:
>    http://www.mysql.com/manual.php   (the manual)
>    http://lists.mysql.com/           (the list archive)
>
> To request this thread, e-mail <[EMAIL PROTECTED]>
> To unsubscribe, e-mail <[EMAIL PROTECTED]>
> Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
>
>
>
> ---------------------------------------------------------------------
> Before posting, please check:
>    http://www.mysql.com/manual.php   (the manual)
>    http://lists.mysql.com/           (the list archive)
>
> To request this thread, e-mail <[EMAIL PROTECTED]>
> To unsubscribe, e-mail
<[EMAIL PROTECTED]>
> Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
>
>



---------------------------------------------------------------------
Before posting, please check:
   http://www.mysql.com/manual.php   (the manual)
   http://lists.mysql.com/           (the list archive)

To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
RE: Ordinary users can crash mysql server

Reply via email to
