漏洞信息详情

MySQL未认证远程访问漏洞

  • CNNVD编号:CNNVD-200002-036
  • 危害等级: 高危
  • CVE编号: CVE-2000-0148
  • 漏洞类型: 访问验证错误
  • 发布时间: 2000-02-08
  • 威胁类型: 远程
  • 更新时间: 2006-09-21
  • 厂        商: Oracle
  • 漏洞来源: This vulnerability...

漏洞简介

MySQL 3.22版本存在漏洞。远程攻击者借助简短检查字符串可以绕过密码认证并访问数据库。

漏洞公告

Version 3.22.32 has been made available by the vendor at: http://www.mysql.com/download_3.22.html This version will fix the vulnerabilies outlined in this entry. A fixed version of the 3.23.x tree (Alpha tree) will be available shortly. FreeBSD has made fixed FreeBSD ports of mySQL available at: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/databases/mysql-server-3.22.32.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-current/databases/mysql-server-3.22.32.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-current/databases/mysql-server-3.22.32.tgz An unsupported patch was provided with the vulnerability posting: Change the routine 'check_scramble' in mysql-3.22.26a/sql/password.c to do a length check, _before_ starting the compare. This should be as easy as inserting the following just above the while (*scrambled) loop: if (strlen(scrambled)!=strlen(to)) { return 1; } Additional security can be achieved by only allowing essential hosts the ability to connect to the database server.

参考网址

来源: BID 名称: 975 链接:http://www.securityfocus.com/bid/975 来源: BUGTRAQ 名称: 20000208 Remote access vulnerability in all MySQL server versions 链接:http://archives.neohapsis.com/archives/bugtraq/2000-02/0053.html

漏洞信息快速查询

相关漏洞

更多