[6401] in bugtraq
Re: Trivial mSQL/MySQL DoS method?
daemon@ATHENA.MIT.EDU (Nigel Reed (Non-HP))
Thu Mar 26 15:46:18 1998
Date: Thu, 26 Mar 1998 14:17:23 -0600
Reply-To: "Nigel Reed (Non-HP)" <nigelr@NELGIN.RSN.HP.COM>
From: "Nigel Reed (Non-HP)" <nigelr@NELGIN.RSN.HP.COM>
X-To: markjr@SHMOOZE.NET
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <XFMail.980326134545.markjr@shmOOze.net> from "Stunt Pope" at Mar
26, 98 01:36:19 pm
Confirmed with 2.0.1 under HPUX 10.20 and NetBSD 1.3
If I keep repeatedly opening telnet sessions, it will make msqladmin
hang, although once a telnet session times out, then it will carry on
as normal.
I dont have 2.0.3 but I expect it will be similar - thanks for the
heads up on this one.
I'll pass it on to the author (who doesn't appear to be doing much these
days so I doubt there will be a speedy fix)
Regards
Nigel
> It seems that if one wants to bring a website that relies heavily on mSQL or
> MySQL to it's knees, simply telnet to the port the server listens on (1112
> for mSQL or 3333 for MySQL) and then just sit there, forget about it.
>
> Nothing on the server will be able to query any of the databases. The
> admin shutdown or reload commands will hang, etc. As long as someone
> keeps the null connection open to the SQL server's port, the only way
> to resume database operations is to kill the parent process and restart
> the daemon.
>
> This seems to work regardless of what's in the acl files or tables.
>
> A site using mod_auth_msql or mod_auth_mysql would be especially
> inconvenienced.
>
> -mark
>
> ---
> Mark Jeftovic aka: mark jeff or vic, stunt pope.
> markjr@shmOOze.net http://www.shmOOze.net/~markjr
> Private World's BOFH http://www.PrivateWorld.com
> irc: L-bOMb Keep `em Guessing
>
--
Nigel Reed Please do NOT send me MIME email. I will only
read TEXT based email. MIME will be unread and deleted
Consultant Work: 972 497 4877 Home Email: nigel@nelgin.nu
Hewlett Packard HPSD, 3000 Waterview Parkway, Richardson, Tx, 75080
ANTI SPAM FILTER IN USE :: REMOVE SPAM-ME-NOT IF REPLYING TO NEWSGROUP MESSAGE
