Security vulnerability in MySQL/MariaDB

-

A vulnerability has been identified in Mysql and MariaDB.

Basically under specific conditions it is possible for an attacker to provide any password and it will be accepted.

The source file affected is password.c

you can find an more detailed explaination and a fix here

http://seclists.org/oss-sec/2012/q2/493

All MariaDB and MySQL versions up to 5.1.61, 5.2.11, 5.3.5, 5.5.22 are vulnerable.
MariaDB versions from 5.1.62, 5.2.12, 5.3.6, 5.5.23 are not.
MySQL versions from 5.1.63, 5.5.24, 5.6.6 are not.

If you know a username (root in most cases).  A situation arises where if you connect approx 250 to 300 times, that mysql will allow you connect without any password.

Comments

  1. Ana CyberJuly 26, 2021 at 4:50 PM

    Great job for publishing such a nice article. Your article isn’t only useful but it is additionally really informative. Thank you because you have been willing to share information with us. Network security audit

    ReplyDelete

Post a Comment

Popular posts from this blog

ActiveMQ, easy to use open source message oriented middleware (MOM)

-
ActiveMQ is message oriented middleware (MOM), useful for receiving and processing asynchronous messages (queues or topics). It is easily integrated with Java based applications (and others) via  the JMS API . ActiveQ offers enterprise scale features which may be required when implementing complex distributred systems such as   High availability with failover. Scalability and clustering through a distributed Network of Brokers. Pluggable persistence stores (JDBC, BDB, JDBM, file system). Distributed destinations and XA support. Caching. Connection pooling. Support for cross language clients such as . NET , C++. Support for scripting environments such as Perl, Python, and Ruby. Multiple Transport layers ( TCP , UDP, multicast, NIO, SSL , Zeroconf, JXTA, JGroups). Download at http://activemq.apache.org/
Read more

Basic Send Message to MQ with Java and IBM MQ JMS

-
package my.mq.samples;   import javax.jms.JMSException; import javax.jms.Session; import javax.jms.TextMessage; import com.ibm.mq.jms.MQQueue; import com.ibm.mq.jms.MQQueueConnection; import com.ibm.mq.jms.MQQueueConnectionFactory; import com.ibm.mq.jms.MQQueueSender; import com.ibm.mq.jms.MQQueueSession; import com.ibm.msg.client.wmq.WMQConstants; public class MQSend {     public static void main(String[] args) { try { MQQueueConnectionFactory cf = new MQQueueConnectionFactory(); cf.setHostName("localhost"); cf.setPort(1414);       cf.setIntProperty(WMQConstants.WMQ_CONNECTION_MODE, WMQConstants.WMQ_CM_CLIENT); cf.setQueueManager("QM_GRIDSERVER"); cf.setChannel("SYSTEM.ADMIN.SVRCONN");       MQQueueConnection connection = (MQQueueConnection) cf.createQueueConnection(); //MQQueueConnection connection = (MQQueueConnection) cf.createQueueConnection("username","password");  
Read more

Automated Service Monitoring with F5, Consul and Python F5 SDK

-
from f5.bigip import ManagementRoot # Connect to BIG-F5 mgmt = ManagementRoot("test.server.com", "testuser", "testpassword") # Get a list of all pools on the BigIP and print their names pools = mgmt.tm.ltm.pools.get_collection() for pool in pools:     print("+++ \t", pool.name)     for member in pool.members_s.get_collection():         print("\t--- \t",  member.name) # Create a HTTP Monitor for an F5 Pool if mgmt.tm.ltm.monitor.https.http.exists(partition='Common', name='F5Automation_HTTP_Monitor'):     print ("HTTP Monitor Already Exists...") else:     mgmt.tm.ltm.monitor.https.http.create(name="F5Automation_HTTP_Monitor", partition="Common") # Load an existing pool and update its description pool_a = mgmt.tm.ltm.pools.pool.load(name='F5Automation', partition='Common') pool_a.description = "F5Automation" pool_a.monitor = "F5Automation_HTTP
Read more