MySQL GRANT Global Password Changing Vulnerability

Solution:
MySQL 3.22.30 has been released and is not vulnerable to this problem.

Sasha Pachev <sasha@mysql.com> sent us the following patch on January 12, 1999:

-----------start-----------------------
*** /my/monty/master/mysql-3.23.8-alpha/sql/sql_parse.cc Fri Dec 31 13:53:03 1999
--- ./sql_parse.cc Mon Jan 10 21:53:59 2000
***************
*** 1222,1227 ****
--- 1222,1246 ----
tables ? &tables->grant.privilege : 0,
tables ? 0 : 1))
goto error;
+
+ /* Check that the user isn't trying to change a password for another
+ user if he doesn't have UPDATE privilege to the MySQL database
*/
+
+ List_iterator <LEX_USER> user_list(lex->users_list);
+ LEX_USER *user;
+ while ((user=user_list++))
+ {
+ if (user->password.str &&
+ (strcmp(thd->user,user->user.str) ||
+ user->host.str && my_strcasecmp(user->host.str,
+ thd->host ? thd->host : thd->ip)))
+ {
+ if (check_access(thd, UPDATE_ACL, "mysql",0,1))
+ goto error;
+ break; // We are allowed to do changes
+ }
+ }
+
if (tables)
{
if (grant_option && check_grant(thd,

----------------end-------------------



 

Privacy Statement
Copyright 2010, SecurityFocus