MySQL/Windows worm

  • fional24
  • Graduate
  • Graduate
  • fional24
  • Posts: 125
  • Loc: Scotland

Post 3+ Months Ago

http://news.zdnet.com/2100-1009_22-5553 ... ag=nl.e589

Not a happy story!
  • Anonymous
  • Bot
  • No Avatar
  • Posts: ?
  • Loc: Ozzuland
  • Status: Online

Post 3+ Months Ago

  • ScienceOfSpock
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 1893
  • Loc: Las Vegas

Post 3+ Months Ago

well, considering that the default mysql install on windows only allows root to connect from localhost, I don't consider this to be a threat.
In order for the exploit to work, the DB administrator would have to choose to allow root to connect from anywhere, without changing the default root password. In this case, the admin is incompetent. Either way, it isn't a vulnerability in mysql, it's just human ignorance.
  • RichB
  • Guru
  • Guru
  • User avatar
  • Posts: 1121
  • Loc: Boston

Post 3+ Months Ago

ScienceOfSpock wrote:
well, considering that the default mysql install on windows only allows root to connect from localhost, I don't consider this to be a threat..


I just reinstalled mysql on my new computer with Windows and had to remove some of the default accounts that were set up, so I'm not sure that's accurate:

Two accounts are created with a username of root. These are superuser accounts that can do anything. The initial root account passwords are empty, so anyone can connect to the MySQL server as root without a password and be granted all privileges.

On Windows, one root account is for connecting from the local host and the other allows connections from any host.

On Unix, both root accounts are for connections from the local host. Connections must be made from the local host by specifying a hostname of localhost for one account, or the actual hostname or IP number for the other.

On Windows, one anonymous account is for connections from the local host. It has all privileges, just like the root accounts. The other is for connections from any host and has all privileges for the test database or other databases with names that start with test.

On Unix, both anonymous accounts are for connections from the local host. Connections must be made from the local host by specifying a hostname of localhost for one account, or the actual hostname or IP number for the other. These accounts have all privileges for the test database or other databases with names that start with test_.

You should assign passwords to the MySQL root accounts.



http://dev.mysql.com/doc/mysql/en/defau ... leges.html

The first thing I did was remove any accounts with wildcards and change passwords to something randomly generated.
  • ScienceOfSpock
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 1893
  • Loc: Las Vegas

Post 3+ Months Ago

This may have changed with newer versions, I'm still using mysql 3 something on my localhost (Well, not really using it, it's just still there)

Post Information

  • Total Posts in this topic: 4 posts
  • Users browsing this forum: No registered users and 4 guests
  • You cannot post new topics in this forum
  • You cannot reply to topics in this forum
  • You cannot edit your posts in this forum
  • You cannot delete your posts in this forum
  • You cannot post attachments in this forum
 
 

© 1998-2014. Ozzu® is a registered trademark of Unmelted, LLC.