[9605] in bugtraq
Re: KSR[T] Advisory #10: mSQL ServerStats
daemon@ATHENA.MIT.EDU (John W. Temples)
Tue Feb 16 16:00:21 1999
Date: Mon, 15 Feb 1999 13:53:03 -0800
Reply-To: "John W. Temples" <john@KUWAIT.NET>
From: "John W. Temples" <john@KUWAIT.NET>
X-To: "Dave G." <dhg@ksrt.org>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Pine.SUN.3.96.990215161545.5186A-100000@sitio>
On Mon, 15 Feb 1999, Dave G. wrote:
> There is no probably about this. If you can issue a ServerStats request
> on an mSQL server that is in use, you _will_ find all of the
> authentication credentials necessary to access mSQL databases. Your post
> basically pointed out that if you have the authentication credentials
> or can guess them, you can access mSQL databases. Ours states that you
> _can_ get them right from the server.
What isn't news is the fact that allowing remote access to an mSQL
database is extremely unwise. Unauthorized access and DoS attacks are
far too simple to achieve. Adding or removing ServerStats access
doesn't change this.
--
John W. Temples, III || Providing the first public access Internet
Gulfnet Kuwait || site in the Arabian Gulf region
