Security vulnerability in MySQL/MariaDB

-

A vulnerability has been identified in Mysql and MariaDB.

Basically under specific conditions it is possible for an attacker to provide any password and it will be accepted.

The source file affected is password.c

you can find an more detailed explaination and a fix here

http://seclists.org/oss-sec/2012/q2/493

All MariaDB and MySQL versions up to 5.1.61, 5.2.11, 5.3.5, 5.5.22 are vulnerable.
MariaDB versions from 5.1.62, 5.2.12, 5.3.6, 5.5.23 are not.
MySQL versions from 5.1.63, 5.5.24, 5.6.6 are not.

If you know a username (root in most cases).  A situation arises where if you connect approx 250 to 300 times, that mysql will allow you connect without any password.

Comments

Post a Comment

Popular posts from this blog

Basic Send Message to MQ with Java and IBM MQ JMS

-
package my.mq.samples;

import javax.jms.JMSException;
import javax.jms.Session;
import javax.jms.TextMessage;

import com.ibm.mq.jms.MQQueue;

import com.ibm.mq.jms.MQQueueConnection;
import com.ibm.mq.jms.MQQueueConnectionFactory;
import com.ibm.mq.jms.MQQueueSender;
import com.ibm.mq.jms.MQQueueSession;
import com.ibm.msg.client.wmq.WMQConstants;

public class MQSend {

public static void main(String[] args)
{
try {
MQQueueConnectionFactory cf = new MQQueueConnectionFactory();
cf.setHostName("localhost");
cf.setPort(1414);

cf.setIntProperty(WMQConstants.WMQ_CONNECTION_MODE, WMQConstants.WMQ_CM_CLIENT);

cf.setQueueManager("QM_GRIDSERVER");
cf.setChannel("SYSTEM.ADMIN.SVRCONN");

MQQueueConnection connection = (MQQueueConnection) cf.createQueueConnection();
//MQQueueConnection connection = (MQQueueConnection) cf.createQueueConnection("username","password");

MQQueueSession session = (MQQueueSession) connection.createQueueSession(false, Session.AUTO_ACKN…
Read more

Basic Receive Message to MQ with Java and IBM MQ JMS

-
package my.mq.samples;

import javax.jms.JMSException;
import javax.jms.Session;
import javax.jms.TextMessage;
import com.ibm.mq.jms.MQQueue;
import com.ibm.mq.jms.MQQueueConnection;
import com.ibm.mq.jms.MQQueueConnectionFactory;
import com.ibm.mq.jms.MQQueueReceiver;
import com.ibm.mq.jms.MQQueueSession;
import com.ibm.msg.client.wmq.WMQConstants;

public class MQReceive {

public static void main(String[] args)
{
try {
MQQueueConnectionFactory cf = new MQQueueConnectionFactory();
cf.setHostName("localhost");
cf.setPort(1414);

cf.setIntProperty(WMQConstants.WMQ_CONNECTION_MODE, WMQConstants.WMQ_CM_CLIENT);

cf.setQueueManager("QM_GRIDSERVER");
cf.setChannel("SYSTEM.ADMIN.SVRCONN");

MQQueueConnection connection = (MQQueueConnection) cf.createQueueConnection();
//MQQueueConnection connection = (MQQueueConnection) cf.createQueueConnection("username","password");

MQQueueSession session = (MQQueueSession) connection.createQueueSession(false, Session.AUTO…
Read more

Configure Database Connection using MyBatis

-
Step 1: Create a propertiese file and store the relevant MySQL connection details here.

In my case the config.properties file contains the following
username=mysqluser
password=1234mysql
url=jdbc:mysql://localhost/bankrecords
driver=com.mysql.jdbc.Driver

Step 2: Create a configuration.xml file, this should contain all the required information needed to connect to your MySQL instance.  you need to reference the above propertiese file in the XML config file.

< ?xml version="1.0" encoding="UTF-8" ?>
< !DOCTYPE configuration PUBLIC "-//mybatis.org//DTD Config 3.0//EN" "http://mybatis.org/dtd/mybatis-3-config.dtd">
<configuration>
<properties resource="config.properties" />
<environments default="staging">
<environment id="staging">
<transactionManager type="JDBC"/>
<dataSource type="POOLED">
<property name="driver" value="${driver}"/>
<…
Read more