MySQL bug: access with shell code

Gio01

Member

Reaction score: 1
Messages: 42

Hello.
I have one bug but all version server mysql is affect on this bug:
my friend can access whit one shell and dont put datas and password.
And him can bypass login secure.
How i can block it? Thank you

My friend can access my MySQL server from the command line without a password. How can I block this?
 
OP
OP
G

Gio01

Member

Reaction score: 1
Messages: 42

I Have freebsd 8.2 64bit
Mysql version is 5.5.22
My friend work on your shell and him said can connect whitout user e password and can do anything we want.
I don't know how to fix this issue...


FreeBSD 8.2, 64 bit. MySQL 5.5.22.
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 8,488
Messages: 32,562

Show us how he did it. I don't know how to fix the issue if I don't know what the problem is.
 
OP
OP
G

Gio01

Member

Reaction score: 1
Messages: 42

In short, my friend with a shell bugs, can log into all existing mysql without id and password

My friend can log into MySQL server without username and password.
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 8,488
Messages: 32,562

I'm not clairvoyant. I'm not a mindreader either.

In short, I can't tell you what's going on because I have no idea what your friend does.
 
OP
OP
G

Gio01

Member

Reaction score: 1
Messages: 42

but what is not clear that my friend has a shell and enter to mysql without any data?

But how does my friend enter MySQL server without data?
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 8,488
Messages: 32,562

I get that. Just not what exactly he does to get access.
 
OP
OP
G

Gio01

Member

Reaction score: 1
Messages: 42

It takes a shell and exploit a flaw in mysql 5.5.22
I just need to know how to block whit shell access


It's a shell exploit of a flaw in MySQL 5.5.22. I just need to know how to block it.
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 8,488
Messages: 32,562

What flaw? How about updating to 5.5.24?
 
OP
OP
G

Gio01

Member

Reaction score: 1
Messages: 42

Him only say : work whit one shell to bypass login system.
Maybe i upgrade.. how i can?


He says he can bypass the login system from the shell. How can I upgrade?
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 8,488
Messages: 32,562

[thread=26140]HOWTO: keeping FreeBSD's base system and packages up-to-date[/thread]
 

usdmatt

Daemon

Reaction score: 534
Messages: 1,440

Are you sure this is actually a bug and not that you just haven't set a root password?

Code:
mysqladmin -u root password 'newpassword'
A default install of MySQL will allow full access from localhost by just running mysql -u root.

I'll be very surprised if there's a current bug that allows console login without a password when one has been set. If there is and your friend knows enough about it to take advantage, surely he knows what the bug is and the fix? (either by upgrading to a version without the bug or changing some configuration)
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 8,488
Messages: 32,562

@usdmatt: Yeah, thought of that. There are also various test accounts that will give access. Proper administration fixes that issue. And I wouldn't want to call it a bug, just a badly configured application.

That's why I really want to know exactly what commands his friend uses. Or else we'll be shooting in the dark until the cows come home.

@Gio01: Did you actually read anything I posted?
 
OP
OP
G

Gio01

Member

Reaction score: 1
Messages: 42

I have read and i have updated but same problem.
This is bug. How i can fix?
I worked about 3 day and nothing to solution.

One ban ip can solve that?



UPDATE: my friend told that:
enters a query 0psw the "standard" with a little tweaking adapted to mysql db


The problem persists after an update. How can I fix this bug? Can I use an IP ban?

My friend told me that he "enters a query 0psw the "standard" with a little tweaking adapted to mysql db"
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 8,488
Messages: 32,562

Ask your friend to show it to you. Take notes, write everything down what he does. Post that information here.
 

DutchDaemon

Administrator
Staff member
Administrator
Moderator
Developer

Reaction score: 2,896
Messages: 11,329

My head hurts.

Gio, if your next post does not contain any usable information that actually illustrates the problem or "hack", this thread will not survive. It is without any merit.

And please invest some effort into writing proper posts: http://forums.freebsd.org/showthread.php?t=18043
 
Top