1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Recent MySQL vulnerability a lesson in privilege assignments

Discussion in 'CSO' started by RSS, Sep 12, 2016.

  1. RSS

    RSS New Member Member

    A recently disclosed flaw in MySQL seems to be more about permissions than remote code execution (RCE). While the flaw is a bit over-hyped, the underlying problems are legit concerns for organizations that just slap a web server together and toss it into production.

    In 2003, a vulnerability in MySQL was disclosed, which if exploited, allows an attacker to create world-writable files and elevate the mysql user to root via SELECT * INFO OUTFILE operator to overwrite the my.cnf file.

    Now, thirteen years later, a disclosure from legalhackers.com reports a similar issue, where an attacker can chain several configuration problems together in order to inject custom settings into a my.cnf file.

    To read this article in full or to leave a comment, please click here

    Continue reading...

Share This Page