Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

mSQL vulnerability.

From: cbell () ATLAS UNION UKANS EDU (Christofer C. Bell)
Date: Wed, 17 Feb 1999 10:00:29 -0600

I'd like to point out that mSQL by default (all versions) DO NOT have
hosts based access control enabled.  Note that when you start the msql2d
process for the first time, you see this message:

Mini SQL Version 2.0.7 Copyright (c) 1993-94 David J. Hughes Copyright (c)
1995-99 Hughes Technologies Pty Ltd.  All rights reserved.

        Loading configuration from '/usr/local/Hughes/msql.conf'.
        Server process reconfigured to accept 200 connections.
        Server running as user 'msql'.
        Server mode is Read/Write.

Warning: No ACL file.  Using global read/write access.

The "Warning:" is the important part.  Even if you use the provided
msql.acl.sample file as your acl file, the permissions are as follows:

database=test
read=bambi,-root
write=root
host=*
access=local,remote
option=rfc931

database=minerva
read=*
write=minerva
access=local

This sets up some form of access restrictions on databases 'test' and
'minerva' but not on any databases YOU create.  Please make sure to edit
this file and use host based security.

--
Christofer C. Bell                      Systems Analyst
OSSC - Systems Management               email: cbell () inetdb com
Sprint Communications                   phone: 913-534-2535
Previous By Date Next
Previous By Thread Next

Current thread: