On Thursday 23 January 2003 05:12, George Toft wrote:
> I have discovered an exposure in the history recall functionality of
> MySQL Monitor. When a user uses MySQL monitor authenticated as the
> database root user to issue commands, such as changing user passwords or
> database table creation, that history can be recalled by a database user
> of lesser privileges. This exposes passwords and table structure, which
> may not want to be exposed. This happens because the MySQL Monitor
> history is stored in the invoking Unix user's home directory. Likewise,
> that Unix user can simply cat the history file (cat .mysql_history) and
> see the commands, like this:
> aaron:~ $ cat .mysql_history
> select * from user;
> select Host,User,Password from user;
> update user set Password=password("secret1") where User="root";
> select Host,User,Password from user;
You can just use -q option of the MySQL client to skip history file :)
--
For technical support contracts, goto https://order.mysql.com/?ref=ensita
This email is sponsored by Ensita.net http://www.ensita.net/
__ ___ ___ ____ __
/ |/ /_ __/ __/ __ \/ / Egor Egorov
/ /|_/ / // /\ \/ /_/ / /__ [EMAIL PROTECTED]
/_/ /_/\_, /___/\___\_\___/ MySQL AB / Ensita.net
<___/ www.mysql.com
---------------------------------------------------------------------
Before posting, please check:
http://www.mysql.com/manual.php (the manual)
http://lists.mysql.com/ (the list archive)
To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
