On Thursday 23 January 2003 05:12, George Toft wrote: > I have discovered an exposure in the history recall functionality of > MySQL Monitor. When a user uses MySQL monitor authenticated as the > database root user to issue commands, such as changing user passwords or > database table creation, that history can be recalled by a database user > of lesser privileges. This exposes passwords and table structure, which > may not want to be exposed. This happens because the MySQL Monitor > history is stored in the invoking Unix user's home directory. Likewise, > that Unix user can simply cat the history file (cat .mysql_history) and > see the commands, like this: > aaron:~ $ cat .mysql_history > select * from user; > select Host,User,Password from user; > update user set Password=password("secret1") where User="root"; > select Host,User,Password from user;
You can just use -q option of the MySQL client to skip history file :) -- For technical support contracts, goto https://order.mysql.com/?ref=ensita This email is sponsored by Ensita.net http://www.ensita.net/ __ ___ ___ ____ __ / |/ /_ __/ __/ __ \/ / Egor Egorov / /|_/ / // /\ \/ /_/ / /__ [EMAIL PROTECTED] /_/ /_/\_, /___/\___\_\___/ MySQL AB / Ensita.net <___/ www.mysql.com --------------------------------------------------------------------- Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail <[EMAIL PROTECTED]> To unsubscribe, e-mail <[EMAIL PROTECTED]> Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php