Hi,

MySQL 3.23.54 has just been released as a bug fix release and to patch multiple security vulnerabilities.

Vulnerabilities have been found in both the server and the client library. This means that not only the MySQL server needs to be reinstalled, but also everything compiled with the MySQL client library. This probably includes PHP, Apache, Perl libraries, your MTA, and others.

More information about the security problems:
http://security.e-matters.de/advisories/042002.html

WHAT? HAHAHAHAHA!

shorly you are joking!!

Everything? apache??? PHP??? perl???

HAHAHA

maybe even the kernel? ;)

Actually, he's mostly right. Anything that wasn't dynamically linked to the client libs will have to be recompiled.

yeah yeah.

when was the last time you saw apache and perl staticly or dynamically compiled with libmysqlclient.so ?

ever heart the word FUD?

Well, recompiling DBI/DBD, libmysqlclient, and php would be definite candidates. Can't say I would recompile Apache...

- John C.

Originally posted by rcs
WHAT? HAHAHAHAHA!

shorly you are joking!!

Everything? apache??? PHP??? perl???

HAHAHA

maybe even the kernel? ;)

This is not a nice way to make a point. Especially when you could always be wrong.

Now, I never said "Everything" or "the kernel". What I said was:

Apache: many apache installations come with several modules to connect to MySQL databases. The most appearant example is the php module. There are other examples like the MySQL-based auth module. That means that they need the MySQL library. In many cases, the library could be compiled in the binary.

PHP: this is the most obvious example. Most PHP installations have the MySQL client library installed in the binary.

Perl: I didn't say perl, I said perl libraries, because I never saw anybody compile the MySQL client libraries in the perl binary itself.

Your MTA: many MTA's have MySQL extentions that allow you to save lists or configurations in a database. I'm not an expert in MTA security schemes, so I'm not sure if that could mean getting root access to the machine. Still, it is not nice to have faulty code anywhere in your system as you don't know how it could be exploited.

I'll pretend that you apologized, and I'll accept your apology. ( HAHAHAHAHA! :) )

Hello Guys,

Actually i knew about the mysql vulnerabilities way before the advisory was out, I knew about it a few months before and i currently have local exploit and working on a remote, please upgrade and patch up because there are more vulnerabilities in it.

Originally posted by RogelioH
Hello Guys,

Actually i knew about the mysql vulnerabilities way before the advisory was out, I knew about it a few months before and i currently have local exploit and working on a remote, please upgrade and patch up because there are more vulnerabilities in it.

If that were true, which I doubt, perhaps you should have let the vendor know, like e-matters actually did.

If You dont believe me you can ask Rusko, am a white hat if you can say, i am a security consultant, and i am very interested in the security scene and i have strong ties to underground communities. I usually know and get things before they are actually published. This helps me out alot because i can patch and do things before they are released to script kiddies. You can ask rusko, he has been my witness to many things. like rsync, mysql etc etc

Originally posted by bitserve

If that were true, which I doubt, perhaps you should have let the vendor know, like e-matters actually did.

first off he is right, we did discuss the vuln before it was published. on my side of the equation, i have known about several vulns such as openssh,apache, lpd and wuftpd before they were pubished in the past.

in these cases, the last thing you want to do is notify the vendor and betray the trust of those who warned you - it is their vuln, their discovery and their intellectual property.

cheers,
paul

thank you rusko, someone understands.

Originally posted by RogelioH
If You dont believe me you can ask Rusko, am a white hat if you can say, i am a security consultant, and i am very interested in the security scene and i have strong ties to underground communities. I usually know and get things before they are actually published. This helps me out alot because i can patch and do things before they are released to script kiddies. You can ask rusko, he has been my witness to many things. like rsync, mysql etc etc

I understand that security companies may share information with other security companies in order to confirm their findings. Are you saying that you were one of the people that would have been privy to that information?

So you guys hang out with some black hats and they tell you what they find as long as you don't report it?

Hmmm.. :rolleyes:

Ahmad, I was once part of the scene so i have very strong contacts and ties, I have many friends and i still work on projects with them. Its just the code and I follow it, just like when you were in school and someone cheated, you didnt tell on that person.

Sorry for underestimating you. You know how many people try to give an impression that they are experts in the fields. It makes it harder to know who truly is.

Regarding reporting, I get your point. Still, it's not right to give some kinds of information to people you are sure will use it in the wrong way, not to mention trying not to leak the information to people that really need to know it (the developers).

Yes, I understand your point of view. It is not up to me to submit the vulnerabilities to the developers because its another persons discovery and intellectual property like rusko said. Once i have something of people that i know find something, we just dont make scanners etc for mass hacking purposes. We do it to understand and for the fundamental reasons. We try to keep it as quite as possible and not to distribute our work to script kiddies that will use it for harm.

Let's say that I claim that my uncle discovered kevlar two months before dupont did? And I also claim that using this information I developed a process for production, before dupont even discovered it.

Is anyone going to believe me? Unless I can prove it, there is no reason for me to even state this. Because everyone is going to think that I'm trying to steel some glory from dupont, and I'll come off as a crackpot liar, rather than as someone who was just in an interesting place at an interesting time with the knowledge to develop a production method for kevlar.

So until you prove it, I'll continue to believe that you are a crackpot liar. So as long as that doesn't bother you, thanks for posting.

I will continue to believe that e-matters is the first one to have discovered the specific vulnerabilities that they mentioned. I don't even know why a criminal would be concentrating on auditing MySQL. As if that would gain them access to any machines that they didn't already have an account on.

Well, i dont mind if you dont believe me. I provide Security Consulting services and Security sys admin on the side for very popular Hosting Companies. For now we havent had any incidents of compromisation or nothing. The companies that i work for are very happy since i also warned them about mysql and other vulnerabilities which i do not dare mention here.

there is a big difference between warning people about new unreleased vulns and giving them the code to exploit them. please note that there is also a big difference between the people who find the vulns and code exploits and those who actually use them to gain unauthorized access to systems. as for letting the developers know, that is up to the author of the exploit.

im not going to push my security services or explain why and how i know about unreleased vulns etc. sometimes i just know about them, sometimes i get to see enough of the code to know what to patch, sometimes i get to look at the whole monty. i have no interest in 'rooting' other people's boxen, nor do the others that are privy to the details. this information is provided as a value added service and is very much appreciated by those who receive it.

this is hardly unethical, as i am being hired for my expertise, which includes among other things my knowledge of exisiting security risks.

bitserve: you obviously know nothing about infosec researchers. people who are interested in gaining unauthorized access to systems will *never* find a significant vulnerability. after all, why should they bother learning c, assembly and spend hours on end auditing code when they can just hang on irc and trade 0day exploits? people that find the holes are very knowledgeable persons that are interested in it as a science, if you will. they are faced with an intellectual challenge and the reward is solving the puzzle. name recognition (fame) within the community is a factor as well, which is why most go for popular software packages as opposed to windows shareware.

last thought im going to leave you with is this: information is a commodity - the more private the information the more demand there will be for those who possess it. this is no different than hiring someone because they are familiar with a certain field.

cheers,
paul

If it helps, I corresponded with someone at e-matters that also doesn't believe you two. But we're willing to believe you when you prove it. Which would be quite difficult, but you refuse to anyway, as I expected. But it proves one of my points, which I tried to explain in analogy, but it still seemed to go over your heads. There was no point in posting a claim that you were unwilling to prove, as it just makes you look like a crackpot liar.

Rusko, your post makes no sense. You claim that recognition is important to these people. But then they should have announced the vulnerability before e-matters did, so that they would have been recognized as the founder of the vulnerability.

I doubt that there was someone else auditing the code before e-matters did, that found the same specific vulnerabilities, that chose not to release the information so that e-matters could be recognized for it instead.

It's funny that it's "obvious" to you that I know nothing about information security. Because if that's so, it must be even more obvious to you that you know less than me.