Could someone explain this?

Insection · Post by **Insection** » 13 May 2009, 01:42

The MySQL Enterprise Server is affected by multiple vulnerabilities. 
1. Using RENAME TABLE against a table with explicit DATA DIRECTORY and INDEX DIRECTORY options can be used to overwrite system table information. 
2. ALTER VIEW retained the original DEFINER value, even when altered by another user, which could allow that user to gain the access rights of the view. 
3. When using a FEDERATED table, the local server can be forced to crash if the remote server returns a result with fewer columns than expected.

Can anyone explain how i can use these vulnerabilities to my advantage?

Post by **bad_brain** » 13 May 2009, 04:26

hm, seems this only works if you have access to the MySQL service already, it's for shared MySQL services in a LAN or when networking is enabled, but it's possible that the usual SQL injection techniques can be used too.
but the chances that you will stumble over a public MySQL Enterprise server on the internet are not really good imo.

I take this opportunity to point out a common mistake mad by people that are not really familiar with the MySQL service:
when you scan a server port 3306 is often shown as open (3306 is the MySQL default port), but this doesn't mean the service is available to the public as most people think....MySQL usually comes with the "skip-networking" option activated per default, this means only localhost (127.0.0.1) is allowed to connect. if networking between multiple servers is really necessary the IPs are also usually set in the config so only the those are allowed to connect....not setting those IPs explicitly and allowing access to anyone that way (ok, you still need the user/pass) is a severe misconfiguration.

Insection · Post by **Insection** » 13 May 2009, 05:08

ok thanks bad brain thats what i wanted to know