Bug #28089 | Combination of FEDERATED and EVENTs allows for self-replicating worm | ||
---|---|---|---|
Submitted: | 25 Apr 2007 9:35 | Modified: | 26 Apr 2007 15:46 |
Reporter: | Beat Vontobel (Silver Quality Contributor) (OCA) | Email Updates: | |
Status: | Not a Bug | Impact on me: | |
Category: | MySQL Server: General | Severity: | S2 (Serious) |
Version: | 5.1 | OS: | Any |
Assigned to: | CPU Architecture: | Any | |
Tags: | events, federated, Security, worm |
[25 Apr 2007 9:35]
Beat Vontobel
[26 Apr 2007 15:46]
Giuseppe Maxia
Thanks for this report. From your description, for the "worm" to work, the following facts must happen: 1. the DBA has to create a global user with access to the mysql database; 2. the above user must be given grants to connect from anywhere 3. the user must be given a guessable username and password. 4. and, of course, the above facts must be in combination with the events being enabled. If the above conditions are fulfilled, the worm is theoretically feasible, assuming that there are enough careless (suicidal?) users who are willingly exposing their credentials to the web. However, the same would be true for any application that accepts connections across the network. Using the same principle, you could write a shell script "worm" that exploits Linux installations with "root/root" username and password combinations. You could scan the internet looking for this combination to be exploited, and you may succeed, but you don't hold accountable Ubuntu or Fedora for it. Similarly, MySQL can't be blamed for the possibility of users weakening their system. If the described scenario were exploitable with MySQL default setup, then you would have a point. But the default setup won't allow access to the mysql database across the network. Therefore, much as I agree that this scenario has some tiny chances to be exploited, that can happen due to people taking some explicit self-damaging action.