you just did the right thing: you posted an anomaly to the list. that's not bad,
that's good. Thanx for notifying us!
don't worry about possible abuse, as far as i can see you need a normal mysql account
anyhow in the first place, and if any system administrator would notice such a user
killing the deamon on purpose, he/she'd probably first kick him out off the system for
ever, and then tell him/her he/she could be sewed (or in fact: sew him/her if there is
any damage).
So, if a system administrator has such users, it's his/hers own mistake. Security is
not made by a system or by mysql, security is made or broken by humans.
regards,
rene
On Mon, 30 Apr 2001 07:28:44 -0300
Gustavo Vieira Gonçalves Coelho Rios <[EMAIL PROTECTED]> wrote:
> Hi folks!
>
> Since we(not we, just my account) at Ifour had some problem with email,
> i did'not get all resps to my bug report.
>
> But, by reading some messages, i can see it'was not a good thing to have
> posted the message on the list. Please, forgive for whatever i have
> done. I have just done so, cause that's what is stated in the Manual,
> and since i am a MySQL beginner... i do read the manuals.
>
> Again, i am sorry for any problem i may have caused.
> BTW, what was my mistaken?
>
>
>
>
> Markus Gieppner gravada:
> >
> > Hi Chris,
> >
> > You should not forget those users who depend greatly on the tech support
> > (patches) of the manufacturer. Given your expertise and knowledge you might
> > be able to protect yourself, but not everybody is (as a matter of fact even
> > Gustavo said he isn't). In addition, to make things worse, today is Sunday,
> > and given the usual working hours in most countries, there's a very small
> > chance that someone from AB Konsulting has read this. On the other hand,
> > quite a number of hobby vandals, who spend their free days looking for
> > holes, might have found a nice new toy to play with, and Gustavo even
> > provided the "how-to" .
> >
> > I agree with you on the first point: If this is a known bug, it has to be
> > part of the "known-bug-list" and given it's severity, be stated clearly on
> > the MySQL web site. Crashed server applications often bear the risk of
> > allowing a hacker to execute his own code, thus making such a bug really
> > dangerous, especially for web applications.
> >
> > Your third point is a bit optimistic... Are you really prepared to react
> > immediately to all known or unknown security risks? If you have 10.000 users
> > using your application on a daily basis, or if you have 100 sites running
> > with it, every modification of a core component of your databases requires
> > good planning and careful handling. On a production server you usually don't
> > have the freedom to experiment a lot with your home-made patches.
> >
> > Don't get me wrong, I am not at all opposed to disclosure. This is what
> > makes programs like MySQL, Linux etc. so powerful and more secure than
> > closed-source software. Remember the problems with Interbase, or Hotmail
> > (even better!) or the countless problems on Microsoft programs. It's
> > indispensable to search for bugs, but again, give the manufacturer at least
> > a chance to look into a matter before giving hackers a doorway to crash your
> > machine and worse steal or destroy your data.
> >
> > Markus Gieppner
> > MGF International Inc.
> >
> > -----Original Message-----
> > From: Chris DiBona [mailto:[EMAIL PROTECTED]]
> > Sent: Sunday, April 29, 2001 6:08 PM
> > To: Markus Gieppner
> > Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED]
> > Subject: RE: Ordinary users can crash mysql server
> >
> > I disagree with you markus, and here is why..
> >
> > 1....gustavo probably isn't the only person who has noticed this, so it's
> > fair to say it's already made the round amongst those who arent so nice.
> >
> > 2....this _is_ the mysql list.
> >
> > 3....this way, people can plan for such a problem and button things up
> > until a fix is forthcoming.
> >
> > 4....whether he went to the manufacturer or not, I personally am happy
> > that he posted it, it made me batte ndown a hatch or two.
> >
> > Chris
> >
> > --
> > Marketing Manager, OSDN Events | http://www.osdn.com
> > Grant Chair, Linux International. | http://www.li.org
> > Co-editor, Open Sources | http://www.dibona.com
> >
> > On Sun, 29 Apr 2001, Markus Gieppner wrote:
> >
> > > Bom dia, Gustavo,
> > >
> > > I am not in a position to comment nor to verify your warning. However, I
> > am
> > > pretty annoyed by the way you make it public to the world. Unless I missed
> > > something here, but when someone discovers a security hole in any program,
> > > it's common standard to contact the manufacturer immediately, directly and
> > > offlist and give him a chance to comment and/or release a patch within a
> > > reasonable timeframe. If then, after a couple of weeks, you didn't get any
> > > response from the manfacturer, you should go public. I don't know if you
> > did
> > > that, if you did I apologize and ask to ignore this message.
> > >
> > > Just imagine what doors you might open to hackers and vandals who always
> > > monitor these lists. (Where else could they get inspiration and necessary
> > > info for their sick minds???)! A major security bug could threaten
> > thousands
> > > of sites all over the world. Responsible and fair handling is a must.
> > >
> > > Obrigado.
> > >
> > > Markus Gieppner
> > >
> > >
> > >
> > > -----Original Message-----
> > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
> > > Sent: Sunday, April 29, 2001 11:13 AM
> > > To: [EMAIL PROTECTED]
> > > Subject: Ordinary users can crash mysql server
> > >
> > >
> > > >Description:
> > > When a ordinary users tries to analyze bin log using a remote host (-h
> > > ip_address) mysql server daemons crahes.
> > > >How-To-Repeat:
> > > Just use mysqlbinlog to analyze a remote host binlog.
> > > mysql -h ip_address -u user -p pass file
> > >
> > > For instance (My environment):
> > > shell> mysql -h 192.168.1.11 -u awp -p root etosha-bin.001
> > >
> > > >Fix:
> > > I lack the required level of expertise to fix it, sorry!
> > >
> > > >Submitter-Id: <submitter ID>
> > > >Originator: Gustavo Rios
> > > >Organization: Ifour Sistemas
> > >
> > > >MySQL support: [none]
> > > >Synopsis:
> > > >Severity: [ critical ]
> > > >Priority: [ high ]
> > > >Category: mysql
> > > >Class:
> > > >Release: mysql-3.23.37 (Source distribution)
> > > >Server: /usr/local/bin/mysqladmin Ver 8.19 Distrib 3.23.37, for
> > > unknown-freebsdelf4.3 on i386
> > > Copyright (C) 2000 MySQL AB & MySQL Finland AB & TCX DataKonsult AB
> > > This software comes with ABSOLUTELY NO WARRANTY. This is free software,
> > > and you are welcome to modify and redistribute it under the GPL license
> > >
> > > Server version 3.23.37-log
> > > Protocol version 10
> > > Connection Localhost via UNIX socket
> > > UNIX socket /tmp/mysql.sock
> > > Uptime: 1 hour 49 min 17 sec
> > >
> > > Threads: 1 Questions: 10 Slow queries: 0 Opens: 10 Flush tables: 1
> > Open
> > > tables: 4 Queries per second avg: 0.002
> > > >Environment:
> > >
> > > System: FreeBSD etosha.ifour.com.br 4.3-STABLE FreeBSD 4.3-STABLE #0: Fri
> > > Apr 27 13:46:06 GMT 2001
> > > [EMAIL PROTECTED]:/usr/obj/usr/src/sys/ETOSHA i386
> > >
> > >
> > > Some paths: /usr/bin/perl /usr/bin/make /usr/local/bin/gmake /usr/bin/gcc
> > > /usr/bin/cc
> > > GCC: Using builtin specs.
> > > gcc version 2.95.3 [FreeBSD] 20010315 (release)
> > > Compilation info: CC='gcc' CFLAGS='' CXX='gcc'
> > > CXXFLAGS='-felide-constructors -fno-exceptions -fno-rtti' LDFLAGS=''
> > > LIBC:
> > > -r--r--r-- 1 root wheel 1174494 Apr 27 13:26 /usr/lib/libc.a
> > > lrwxr-xr-x 1 root wheel 9 Apr 27 13:26 /usr/lib/libc.so -> libc.so.4
> > > -r--r--r-- 1 root wheel 561548 Apr 27 13:26 /usr/lib/libc.so.4
> > > Configure command:
> > >
> > ./configure --without-perl --without-debug --with-mit-threads=no --with-lib
> > >
> > wrap --with-charset=latin1 --with-extra-charsets=none --enable-assembler --w
> > > ith-berkeley-db --with-innodb --localstatedir=/var/db/mysql
> > > Perl: This is perl, version 5.005_03 built for i386-freebsd
> > >
> > > ---------------------------------------------------------------------
> > > Before posting, please check:
> > > http://www.mysql.com/manual.php (the manual)
> > > http://lists.mysql.com/ (the list archive)
> > >
> > > To request this thread, e-mail <[EMAIL PROTECTED]>
> > > To unsubscribe, e-mail <[EMAIL PROTECTED]>
> > > Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
> > >
> > >
> > >
> > > ---------------------------------------------------------------------
> > > Before posting, please check:
> > > http://www.mysql.com/manual.php (the manual)
> > > http://lists.mysql.com/ (the list archive)
> > >
> > > To request this thread, e-mail <[EMAIL PROTECTED]>
> > > To unsubscribe, e-mail
> > <[EMAIL PROTECTED]>
> > > Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
> > >
> > >
>
> ---------------------------------------------------------------------
> Before posting, please check:
> http://www.mysql.com/manual.php (the manual)
> http://lists.mysql.com/ (the list archive)
>
> To request this thread, e-mail <[EMAIL PROTECTED]>
> To unsubscribe, e-mail <[EMAIL PROTECTED]>
> Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
>
---------------------------------------------------------------------
Before posting, please check:
http://www.mysql.com/manual.php (the manual)
http://lists.mysql.com/ (the list archive)
To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
