Bug #38707 | Port 3306 exposing sensitive details | ||
---|---|---|---|
Submitted: | 11 Aug 2008 0:05 | Modified: | 18 Aug 2008 9:32 |
Reporter: | Rico Suave | Email Updates: | |
Status: | Won't fix | Impact on me: | |
Category: | MySQL Server | Severity: | S1 (Critical) |
Version: | 5.0.51 | OS: | Linux |
Assigned to: | CPU Architecture: | Any | |
Tags: | octet-stream, port 3306 security, sensitive file exposed |
[11 Aug 2008 0:05]
Rico Suave
[11 Aug 2008 9:34]
Sveta Smirnova
Thank you for taking the time to write to us, but this is not a bug. Please double-check the documentation available at http://dev.mysql.com/doc/ and the instructions on how to report a bug at http://bugs.mysql.com/how-to-report.php You have to connect with MySQL server using client supposed for it. Like mysql command line client or MySQL Query Browser.
[18 Aug 2008 9:32]
Sergei Golubchik
According to http://forge.mysql.com/wiki/MySQL_Internals_ClientServer_Protocol#Handshake_Initialization... the initial handshake packet contains the server version and server capabilities. Yes, one can argue that it's information exposure and a security issue. Still, if the server itself is secure then exposing this information is not a problem, if it's not - an old version with known security bugs, for example - then hiding the version will hardly help anyway, security by obscurity is rarely a solution.