[Full-Disclosure] Proofpoint Protection Server remote MySQL r oot user vulnerability
Szilveszter Adam
adam at hif.hu
Mon Feb 23 08:10:04 GMT 2004
Tony Kava wrote:
> Are you sure this is the default behaviour of a Red Hat installation? Your
> advisory does not indicate any specific version(s) of Red Hat Linux. Is
> this supposed to apply to RHL 7.2? 7.3? 8.0? 9.0? Fedora 1? In my previous
> experience with the 'mysql-server' package on any Red Hat the root user is
> granted full access without a password, but that is limited only to
> connections from the localhost. I've verified that the most up-to-date
> 'mysql-server' package for Red Hat Enterprise Linux 3 still falls in the 3.x
> version, not 4.x. The package name is mysql-server-3.23.58-1. Additionally
> with this package from Red Hat the root user without a password is limited
> to the localhost only.
Of course it sometimes helps to read the text of the advisory carefully.
Then you will be able to find out that it deals with an *embedded* mysql
server that comes with Proofpoint Protection Server, not the
mysql-server package that comes with <you name it> release of RH/Fedora.
This is why one should be always careful when evaluating products that
have embedded components: one cannot assume that the emebdded components
are up-to-date security-wise.
Regards:
Sz.
Full-Disclosure is hosted and sponsored by Secunia.