Re: KSR[T] Advisory #10: mSQL ServerStats

• Previous message: Tim Wright: "Re: Applets listening on Sockets in Java"
• Maybe in reply to: Dave G.: "KSR[T] Advisory #10: mSQL ServerStats"
• Next in thread: John W. Temples: "Re: KSR[T] Advisory #10: mSQL ServerStats"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, 15 Feb 1999, Dave G. wrote:

> Compromise:          If host based access control is disabled, a
>                      remote attacker can use the user names listed in
>                      the connection table to access databases.  If host
>                      based access control is enabled, a remote attacker
>                      could launch a more complex attack (like DNS cache
>                      poisoning) to access mSQL databases.

This is hardly news; mSQL's access control is extremely weak.
ServerStats probably makes it easier to get into an mSQL database, but
if remote access is enabled, you simply need to know an authorized
username (say, "root") to log into the database -- there are no
passwords.  And you don't even need a username to perform DoS attacks,
since mSQL is a single-threaded server -- just telnet to mSQL's port
and sit there.  As far as I can see, the only thing that's changed
since I posted about this in September, 1997, is that remote access is
now disabled by default.

--
John W. Temples, III       ||       Providing the first public access Internet
Gulfnet Kuwait             ||            site in the Arabian Gulf region

• Next message: Wichert Akkerman: "[SECURITY] New versions of cfengine fixes symlink attack"
• Previous message: Tim Wright: "Re: Applets listening on Sockets in Java"
• Maybe in reply to: Dave G.: "KSR[T] Advisory #10: mSQL ServerStats"
• Next in thread: John W. Temples: "Re: KSR[T] Advisory #10: mSQL ServerStats"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:34:58 PDT