Re: KSR[T] Advisory #10: mSQL ServerStats

From: John W. Temples (johnat_private)
Date: Mon Feb 15 1999 - 13:53:03 PST

Next message: Eric J. Stevens: "Re: ICQ99 crash"

Previous message: Pavel Kankovsky: "firmware upgrades (Was: Re: NetApp Filer software versions...)"
Maybe in reply to: Dave G.: "KSR[T] Advisory #10: mSQL ServerStats"
Next in thread: Dave G.: "Re: KSR[T] Advisory #10: mSQL ServerStats"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, 15 Feb 1999, Dave G. wrote:

> There is no probably about this.  If you can issue a ServerStats request
> on an mSQL server that is in use, you _will_ find all of the
> authentication credentials necessary to access mSQL databases. Your post
> basically pointed out that if you have the authentication credentials
> or can guess them, you can access mSQL databases.  Ours states that you
> _can_ get them right from the server.

What isn't news is the fact that allowing remote access to an mSQL
database is extremely unwise.  Unauthorized access and DoS attacks are
far too simple to achieve.  Adding or removing ServerStats access
doesn't change this.

--
John W. Temples, III       ||       Providing the first public access Internet
Gulfnet Kuwait             ||            site in the Arabian Gulf region

Next message: Eric J. Stevens: "Re: ICQ99 crash"
Previous message: Pavel Kankovsky: "firmware upgrades (Was: Re: NetApp Filer software versions...)"
Maybe in reply to: Dave G.: "KSR[T] Advisory #10: mSQL ServerStats"
Next in thread: Dave G.: "Re: KSR[T] Advisory #10: mSQL ServerStats"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:35:04 PDT