Bug #58152 | Option to hide server version | ||
---|---|---|---|
Submitted: | 12 Nov 2010 2:26 | ||
Reporter: | Mikiya Okuno | Email Updates: | |
Status: | Verified | Impact on me: | |
Category: | MySQL Server: Options | Severity: | S4 (Feature request) |
Version: | any | OS: | Any |
Assigned to: | CPU Architecture: | Any |
[12 Nov 2010 2:26]
Mikiya Okuno
[12 Nov 2010 2:33]
Davi Arnaut
Can't the cracker just attempt to use the exploit?
[12 Nov 2010 9:50]
MySQL Verification Team
Davi, Yeah, you're right. By hiding version information, an attacker must guess whether an exploit. This will cause some failed attempts to attack the server, then logs may give the defender a chance to block an attacker.
[7 Jun 2012 7:10]
MySQL Verification Team
I believe an unauthenticated user should not need to know the exact version. They should know just enough to get authenticated, but not more. "telnet <IP> 3306" will give it to any host that is allowed. I guess it's okay for an authenticated user to see the version via SELECT VERSION().
[29 Mar 2021 6:27]
xingchen lu
Hi Dev team,any plan to fix this problem ?
[29 Mar 2021 6:28]
xingchen lu
Hi Dev team,any plan to fix this problem ?