MySQL bug: access with shell code

Hello.
I have one bug but all version server mysql is affect on this bug:
my friend can access whit one shell and dont put datas and password.
And him can bypass login secure.
How i can block it? Thank you

My friend can access my MySQL server from the command line without a password. How can I block this?
 
I Have freebsd 8.2 64bit
Mysql version is 5.5.22
My friend work on your shell and him said can connect whitout user e password and can do anything we want.
I don't know how to fix this issue...


FreeBSD 8.2, 64 bit. MySQL 5.5.22.
 
Show us how he did it. I don't know how to fix the issue if I don't know what the problem is.
 
In short, my friend with a shell bugs, can log into all existing mysql without id and password

My friend can log into MySQL server without username and password.
 
I'm not clairvoyant. I'm not a mindreader either.

In short, I can't tell you what's going on because I have no idea what your friend does.
 
but what is not clear that my friend has a shell and enter to mysql without any data?

But how does my friend enter MySQL server without data?
 
I get that. Just not what exactly he does to get access.
 
It takes a shell and exploit a flaw in mysql 5.5.22
I just need to know how to block whit shell access


It's a shell exploit of a flaw in MySQL 5.5.22. I just need to know how to block it.
 
Him only say : work whit one shell to bypass login system.
Maybe i upgrade.. how i can?


He says he can bypass the login system from the shell. How can I upgrade?
 
[thread=26140]HOWTO: keeping FreeBSD's base system and packages up-to-date[/thread]
 
Are you sure this is actually a bug and not that you just haven't set a root password?

Code:
mysqladmin -u root password 'newpassword'

A default install of MySQL will allow full access from localhost by just running mysql -u root.

I'll be very surprised if there's a current bug that allows console login without a password when one has been set. If there is and your friend knows enough about it to take advantage, surely he knows what the bug is and the fix? (either by upgrading to a version without the bug or changing some configuration)
 
@usdmatt: Yeah, thought of that. There are also various test accounts that will give access. Proper administration fixes that issue. And I wouldn't want to call it a bug, just a badly configured application.

That's why I really want to know exactly what commands his friend uses. Or else we'll be shooting in the dark until the cows come home.

@Gio01: Did you actually read anything I posted?
 
I have read and i have updated but same problem.
This is bug. How i can fix?
I worked about 3 day and nothing to solution.

One ban ip can solve that?



UPDATE: my friend told that:
enters a query 0psw the "standard" with a little tweaking adapted to mysql db


The problem persists after an update. How can I fix this bug? Can I use an IP ban?

My friend told me that he "enters a query 0psw the "standard" with a little tweaking adapted to mysql db"
 
Ask your friend to show it to you. Take notes, write everything down what he does. Post that information here.
 
Back
Top