[9678] in bugtraq
Re: mSQL vulnerability.
daemon@ATHENA.MIT.EDU (John W. Temples)
Fri Feb 19 20:25:26 1999
Date: Thu, 18 Feb 1999 15:32:20 -0800
Reply-To: "John W. Temples" <john@KUWAIT.NET>
From: "John W. Temples" <john@KUWAIT.NET>
X-To: cbell@ukans.edu
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Pine.LNX.3.96.990217095405.295B-100000@atlas.union.ukans.edu>
On Wed, 17 Feb 1999, Christofer C. Bell wrote:
> I'd like to point out that mSQL by default (all versions) DO NOT have
> hosts based access control enabled.
This was noted in Bugtraq long ago, but isn't entirely true with recent
versions.
Remote access is disabled by default going back to at least version
2.0.4.1. There are new "Remote_Access" and "Local_Access" keywords in
msql.conf, set by default to False and True, respectively, in the
included sample file. These keywords take precedence over the "access"
keyword in msql.acl.
What hasn't changed in recent versions is that all databases have
unrestricted local access by default. I still believe it would be wise
for mSQL to ship with a default msql.acl file that denies all access.
--
John W. Temples, III || Providing the first public access Internet
Gulfnet Kuwait || site in the Arabian Gulf region
