Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.lang.python > #55392

Re: Can arbitrary code run in a server if someone's know just the MySQL password?

Path csiph.com!v102.xanadu-bbs.net!xanadu-bbs.net!feeder.erje.net!eu.feeder.erje.net!eweka.nl!lightspeed.eweka.nl!194.109.133.81.MISMATCH!newsfeed.xs4all.nl!newsfeed2.news.xs4all.nl!xs4all!newsgate.cistron.nl!newsgate.news.xs4all.nl!post.news.xs4all.nl!not-for-mail
Return-Path <python-python-list@m.gmane.org>
X-Original-To python-list@python.org
Delivered-To python-list@mail.python.org
X-Spam-Status OK 0.009
X-Spam-Evidence '*H*': 0.98; '*S*': 0.00; 'insert': 0.05; 'subject:password': 0.05; '(using': 0.07; 'subject:code': 0.07; 'received:80.91': 0.09; 'received:80.91.229': 0.09; 'received:gmane.org': 0.09; 'received:list': 0.09; 'belongs': 0.16; 'investigate': 0.16; 'message-id:@4ax.com': 0.16; 'received:80.91.229.3': 0.16; 'received:plane.gmane.org': 0.16; 'subject:run': 0.16; 'wed,': 0.18; "skip:' 30": 0.19; 'select': 0.22; 'shell': 0.22; 'url:home': 0.24; 'options': 0.25; 'header:X -Complaints-To:1': 0.27; 'statement': 0.30; 'lines': 0.31; 'table,': 0.31; 'run': 0.32; 'table': 0.34; 'subject:the': 0.34; 'could': 0.34; 'but': 0.35; 'charset:us-ascii': 0.36; 'subject:?': 0.36; 'received:76': 0.38; 'system,': 0.38; 'server': 0.38; 'to:addr:python-list': 0.38; 'to:addr:python.org': 0.39; 'received:org': 0.40; 'how': 0.40; 'read': 0.60; 'subject:Can': 0.60; 'full': 0.61; 'new': 0.61; 'finally': 0.65; 'temporary': 0.65; 'gain': 0.79; 'subject:know': 0.84; 'examine': 0.93; '2013': 0.98
X-Injected-Via-Gmane http://gmane.org/
To python-list@python.org
From Dennis Lee Bieber <wlfraed@ix.netcom.com>
Subject Re: Can arbitrary code run in a server if someone's know just the MySQL password?
Date Wed, 02 Oct 2013 20:02:37 -0400
Organization IISS Elusive Unicorn
References <l2h31g$q96$1@dont-email.me>
Mime-Version 1.0
Content-Type text/plain; charset=us-ascii
Content-Transfer-Encoding 7bit
X-Gmane-NNTP-Posting-Host adsl-76-249-20-155.dsl.klmzmi.sbcglobal.net
X-Newsreader Forte Agent 6.00/32.1186
X-No-Archive YES
X-BeenThere python-list@python.org
X-Mailman-Version 2.1.15
Precedence list
List-Id General discussion list for the Python programming language <python-list.python.org>
List-Unsubscribe <https://mail.python.org/mailman/options/python-list>, <mailto:python-list-request@python.org?subject=unsubscribe>
List-Archive <http://mail.python.org/pipermail/python-list/>
List-Post <mailto:python-list@python.org>
List-Help <mailto:python-list-request@python.org?subject=help>
List-Subscribe <https://mail.python.org/mailman/listinfo/python-list>, <mailto:python-list-request@python.org?subject=subscribe>
Newsgroups comp.lang.python
Message-ID <mailman.662.1380758566.18130.python-list@python.org> (permalink)
Lines 29
NNTP-Posting-Host 2001:888:2000:d::a6
X-Trace 1380758566 news.xs4all.nl 15895 [2001:888:2000:d::a6]:51744
X-Complaints-To abuse@xs4all.nl
Xref csiph.com comp.lang.python:55392

Show key headers only | View raw

On Wed, 02 Oct 2013 15:20:00 +0300, ????? <nikos.gr33k@gmail.com> declaimed
the following:

>
>Okey he uses the password and he gain access to the databases, then 
>what? MySQL is a database server how can he run run arbitrary shell 
>commands by using MySQL?
>

	Well, #1, if your account/password is the database administrator, then
they can create a new database user with full privileges -- so if you
change your password but don't examine the authorization system they could
still get into the database.

	#2 -- the SELECT statement has options for "INTO OUTFILE 'filename'"
and "INTO DUMPFILE 'filename'".

	The result: If someone can create a temporary table, they can then
populate the table with lines of HTML (using INSERT statements), and
finally they can SELECT lines FROM temp_table INTO OUTFILE
'/any/thing/the/server/can/access.html'


	It's your server system, YOU need to learn how to investigate the
security system, read logs, etc. -- NONE of which belongs in this group.
-- 
	Wulfraed                 Dennis Lee Bieber         AF6VN
    wlfraed@ix.netcom.com    HTTP://wlfraed.home.netcom.com/

Back to comp.lang.python | Previous | NextPrevious in thread | Next in thread | Find similar | Unroll thread

Thread

Can arbitrary code run in a server if someone's know just the MySQL password? Νίκος <nikos.gr33k@gmail.com> - 2013-10-02 15:20 +0300
  Re: Can arbitrary code run in a server if someone's know just the MySQL password? Antoon Pardon <antoon.pardon@rece.vub.ac.be> - 2013-10-02 14:37 +0200
  Re: Can arbitrary code run in a server if someone's know just the MySQL password? feedthetroll@gmx.de - 2013-10-02 05:38 -0700
    Re: Killing threads with TB (was: Can arbitrary code run in a server if someone's know just the MySQL password?) Tim Chase <python.list@tim.thechases.com> - 2013-10-02 08:21 -0500
    Re: Killing threads with TB Terry Reedy <tjreedy@udel.edu> - 2013-10-02 18:34 -0400
    Re: Killing threads with TB Mark Lawrence <breamoreboy@yahoo.co.uk> - 2013-10-02 23:48 +0100
  Re: Can arbitrary code run in a server if someone's know just the MySQL password? Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2013-10-02 13:25 +0000
    Re: Can arbitrary code run in a server if someone's know just the MySQL password? Νίκος <nikos.gr33k@gmail.com> - 2013-10-02 16:41 +0300
      Re: Can arbitrary code run in a server if someone's know just the MySQL password? Ned Batchelder <ned@nedbatchelder.com> - 2013-10-02 09:58 -0400
        Re: Can arbitrary code run in a server if someone's know just the MySQL password? Νίκος <nikos.gr33k@gmail.com> - 2013-10-02 17:46 +0300
          Re: Can arbitrary code run in a server if someone's know just the MySQL password? ishish <ishish@domhain.de> - 2013-10-02 15:55 +0100
          Re: Can arbitrary code run in a server if someone's know just the MySQL password? Ned Batchelder <ned@nedbatchelder.com> - 2013-10-02 11:15 -0400
          Re: Can arbitrary code run in a server if someone's know just the MySQL password? Denis McMahon <denismfmcmahon@gmail.com> - 2013-10-02 16:02 +0000
          Re: Can arbitrary code run in a server if someone's know just the MySQL password? Ethan Furman <ethan@stoneleaf.us> - 2013-10-02 09:59 -0700
      Re: Can arbitrary code run in a server if someone's know just the MySQL password? Alister <alister.ware@ntlworld.com> - 2013-10-02 14:34 +0000
        Re: Can arbitrary code run in a server if someone's know just the MySQL password? Ravi Sahni <ganeshsahni07@gmail.com> - 2013-10-02 20:43 +0530
          Re: Can arbitrary code run in a server if someone's know just the MySQL password? Νίκος Ακεξόπουλος <nikos.gr33k@gmail.com> - 2013-10-02 20:06 +0300
      Re: Can arbitrary code run in a server if someone's know just the MySQL password? Steven D'Aprano <steve+comp.lang.python@pearwood.info> - 2013-10-02 17:39 +0000
        Re: Can arbitrary code run in a server if someone's know just the MySQL password? Νίκος Αλεξόπουλος <nikos.gr33k@gmail.com> - 2013-10-02 21:02 +0300
  Re: Can arbitrary code run in a server if someone's know just the MySQL password? Dennis Lee Bieber <wlfraed@ix.netcom.com> - 2013-10-02 20:02 -0400
  Re: Can arbitrary code run in a server if someone's know just the MySQL password? Tony the Tiger <tony@tiger.invalid> - 2013-10-04 15:19 -0500

csiph-web