Re: Proofpoint Protection Server remote MySQL r oot user vulnerability

[Szilveszter Adam <adam () hif hu>]

Tony Kava wrote:

> Are you sure this is the default behaviour of a Red Hat installation? Your
> advisory does not indicate any specific version(s) of Red Hat Linux.  Is
> this supposed to apply to RHL 7.2? 7.3? 8.0? 9.0? Fedora 1? In my previous
> experience with the 'mysql-server' package on any Red Hat the root user is
> granted full access without a password, but that is limited only to
> connections from the localhost.  I've verified that the most up-to-date
> 'mysql-server' package for Red Hat Enterprise Linux 3 still falls in the 3.x
> version, not 4.x.  The package name is mysql-server-3.23.58-1.  Additionally
> with this package from Red Hat the root user without a password is limited
> to the localhost only.

Of course it sometimes helps to read the text of the advisory carefully. 
Then you will be able to find out that it deals with an *embedded* mysql 
server that comes with Proofpoint Protection Server, not the 
mysql-server package that comes with <you name it> release of RH/Fedora.

This is why one should be always careful when evaluating products that 
have embedded components: one cannot assume that the emebdded components 
are up-to-date security-wise.

Regards:
Sz.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html