Full Disclosure mailing list archives
RE: User bypass privs for Mysql??
From: "Esler, Joel - Contractor" <joel.esler () rcert-s army mil>
Date: Tue, 18 May 2004 12:24:02 -0400
I did not have the grant priv, I had select, insert on mysql db. (I did log in as a different user --i.e. not root) Using MysqlCC I changed the Grant field from N to Y, and then could grand myself all privs to every database. Of course, I did have select, insert on mysql.. probably why huh? -----Original Message----- From: Ben Nelson [mailto:lists () venom600 org] Sent: Tuesday, May 18, 2004 11:48 AM To: Esler, Joel - Contractor Cc: full-disclosure () lists netsys com Subject: Re: [Full-disclosure] User bypass privs for Mysql?? -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 What permissions DID you have prior to editing your grants. How did you edit the grant (i.e. update user set Grant_priv = 'Y' where user = 'floobie' ). What version of mysql? Did you log in as yourself to edit the grants, or as another user? Also, you say you edited your 'Grant' from N to Y and then you instantly had all privs? Or did you edit you Grant from N to Y and then go grant yourself all privs? More information please. - --Ben Esler, Joel - Contractor wrote: | Not having any grant permissions. I went into the mysql/user table and | edited the Grant from N to Y. Logged out and logged back in, and I had | full privs including Grant. I shouldn't be able to do this... | | Joel | | _______________________________________________ | Full-Disclosure - We believe in it. | Charter: http://lists.netsys.com/full-disclosure-charter.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQFAqjAy3cL8qXKvzcwRAioXAKDehUyxUG/0LAVSEkbceyakaDrJPgCg2D0K 18yk4tactzaEoZFlJb4YKnw= =LvSo -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- User bypass privs for Mysql?? Esler, Joel - Contractor (May 18)
- Re: User bypass privs for Mysql?? James Bliss (May 18)
- Re: User bypass privs for Mysql?? Ben Nelson (May 18)
- RE: User bypass privs for Mysql?? Remko Lodder (May 18)
- Re: User bypass privs for Mysql?? Michael Gargiullo (May 18)
- <Possible follow-ups>
- RE: User bypass privs for Mysql?? Esler, Joel - Contractor (May 18)
- Re: User bypass privs for Mysql?? Maarten (May 18)
- Re: User bypass privs for Mysql?? Ben Nelson (May 18)
- RE: User bypass privs for Mysql?? Esler, Joel - Contractor (May 18)
- Re[2]: User bypass privs for Mysql?? npguy (May 18)