Bugtraq mailing list archives
Re: KSR[T] Advisory #10: mSQL ServerStats
From: john () KUWAIT NET (John W. Temples)
Date: Mon, 15 Feb 1999 13:53:03 -0800
On Mon, 15 Feb 1999, Dave G. wrote:
There is no probably about this. If you can issue a ServerStats request on an mSQL server that is in use, you _will_ find all of the authentication credentials necessary to access mSQL databases. Your post basically pointed out that if you have the authentication credentials or can guess them, you can access mSQL databases. Ours states that you _can_ get them right from the server.
What isn't news is the fact that allowing remote access to an mSQL database is extremely unwise. Unauthorized access and DoS attacks are far too simple to achieve. Adding or removing ServerStats access doesn't change this. -- John W. Temples, III || Providing the first public access Internet Gulfnet Kuwait || site in the Arabian Gulf region
Current thread:
- KSR[T] Advisory #10: mSQL ServerStats Dave G. (Feb 15)
- Re: KSR[T] Advisory #10: mSQL ServerStats John W. Temples (Feb 15)
- Re: KSR[T] Advisory #10: mSQL ServerStats Dave G. (Feb 15)
- Re: KSR[T] Advisory #10: mSQL ServerStats John W. Temples (Feb 15)
- Re: KSR[T] Advisory #10: mSQL ServerStats Dave G. (Feb 15)
- [SECURITY] New versions of cfengine fixes symlink attack Wichert Akkerman (Feb 15)
- Re: KSR[T] Advisory #10: mSQL ServerStats John W. Temples (Feb 15)