https://www.computerworld.com/s/article/9227965/MySQL_vulnerability_allows_attackers_to_bypass_password_verification By Lucian Constantin IDG News Service June 11, 2012 Security researchers have released details about a vulnerability in the MySQL server that could allow potential attackers to access MySQL databases without inputting proper authentication credentials. The vulnerability is identified as CVE-2012-2122 and was addressed in MySQL 5.1.63 and 5.5.25 in May. However, many server administrators might not be aware of its impact, because the changelog for those versions contained very little information about the security bug. The vulnerability can only be exploited if MySQL was built on a system where the memcmp() function can return values outside the -128 to 127 range. This is the case for Linux systems that use an SSE-optimized glibc (GNU C library). If MySQL was built on such a system, the code that compares the cryptographic hash of a user-inputted password to the hash stored in the database for a particular account will sometimes allow authentication even if the supplied password is incorrect. [...] -- Certified Ethical Hacker, ISSMP, ISSAP, CISSP training with Expanding Security gives the best training and support. Get a free live class invite weekly. Best programs, best prices. http://www.ExpandingSecurity.com/PainPillReceived on Tue Jun 12 2012 - 01:35:09 PDT
This archive was generated by hypermail 2.2.0 : Tue Jun 12 2012 - 01:28:15 PDT