From: Scott Fuhriman (fuhrimans@llix.net)
Date: Mon Jul 18 2005 - 19:50:58 EDT
This particular vulnerability in regards to not setting the password for
mySQL is related to local user accounts on the machine, but also to remote
users indirectly. Depending on the security of the box and the
configuration, it may actually be accessible from a remote connection
attempt.
Without a password any local user could easily access the database with
admin privileges. Although this is a vulnerability to the accounts on the
local machine it also means that if an account was compromised on the
machine through some other system vulnerability, then the remote user would
also in effect have local user access. This would provide the malicious
user with the ability to also gain "easy" access to the database.
Rather than rooting out false positives, it is a question of understanding
the vulnerability and how it can be exploited through other means than an
obvious direct approach.
Scott Fuhriman
-----Original Message-----
From: Erin Carroll [mailto:amoeba@amoebazone.com]
Sent: Monday, July 18, 2005 4:20 PM
To: pen-test@securityfocus.com
Subject: Rooting out false positives
I recently rejected the below submission to the list as it was more
appropriate for Tenable's nessus list rather than pen-test but I wanted to
submit it with an addendum to bring up a topic which I would love to see
discussed: How do list members deal with rooting out false positives? When
do you have "enough" feedback in pen-testing a possible vunerability before
putting something in the false positive column?
5 years ago certain vulnerabilities would have been beyond my skill level at
the time to assess and verify correctly. I'm sure there are things now that
fall into that area as well. What methods do you guys use to minimize that
situation from occuring?
> -----Original Message-----
> From: darkslaker [mailto:darkslaker.secure@gmail.com]
> Sent: Monday, July 18, 2005 2:48 PM
> To: pen-test@securityfocus.com
> Subject: Help with MYSQL
>
> In my last PT , nessus detect
>
> Your MySQL database is not password protected.
>
> Anyone can connect to it and do whatever he wants to your data
> (deleting a database, adding bogus entries, ...) We could collect the
> list of databases installed on the remote host :
>
> i couldnīt connect with the Server. I think is a False Positive. But i
> not sure in this case.
>
> I tray to connect with perl , php , mysql and mysqldump.
>
> Anyone have information about this.
>
>
> DarkSlaker
>
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:36 EDT