Bugtraq mailing list archives

Re: KSR[T] Advisory #10: mSQL ServerStats

From: john () KUWAIT NET (John W. Temples)
Date: Mon, 15 Feb 1999 13:53:03 -0800


On Mon, 15 Feb 1999, Dave G. wrote:

There is no probably about this.  If you can issue a ServerStats request
on an mSQL server that is in use, you _will_ find all of the
authentication credentials necessary to access mSQL databases. Your post
basically pointed out that if you have the authentication credentials
or can guess them, you can access mSQL databases.  Ours states that you
_can_ get them right from the server.


What isn't news is the fact that allowing remote access to an mSQL
database is extremely unwise.  Unauthorized access and DoS attacks are
far too simple to achieve.  Adding or removing ServerStats access
doesn't change this.

--
John W. Temples, III       ||       Providing the first public access Internet
Gulfnet Kuwait             ||            site in the Arabian Gulf region

Current thread:

KSR[T] Advisory #10: mSQL ServerStats Dave G. (Feb 15)
- Re: KSR[T] Advisory #10: mSQL ServerStats John W. Temples (Feb 15)
  - Re: KSR[T] Advisory #10: mSQL ServerStats Dave G. (Feb 15)
    - Re: KSR[T] Advisory #10: mSQL ServerStats John W. Temples (Feb 15)
- [SECURITY] New versions of cfengine fixes symlink attack Wichert Akkerman (Feb 15)