Date: Wed, 17 Feb 1999 10:00:29 -0600
From: "Christofer C. Bell" <cbell@ATLAS.UNION.UKANS.EDU>
To: BUGTRAQ@NETSPACE.ORG
Subject: mSQL vulnerability.
I'd like to point out that mSQL by default (all versions) DO NOT have
hosts based access control enabled. Note that when you start the msql2d
process for the first time, you see this message:
Mini SQL Version 2.0.7 Copyright (c) 1993-94 David J. Hughes Copyright (c)
1995-99 Hughes Technologies Pty Ltd. All rights reserved.
Loading configuration from '/usr/local/Hughes/msql.conf'.
Server process reconfigured to accept 200 connections.
Server running as user 'msql'.
Server mode is Read/Write.
Warning : No ACL file. Using global read/write access.
The "Warning:" is the important part. Even if you use the provided
msql.acl.sample file as your acl file, the permissions are as follows:
database=test
read=bambi,-root
write=root
host=*
access=local,remote
option=rfc931
database=minerva
read=*
write=minerva
access=local
This sets up some form of access restrictions on databases 'test' and
'minerva' but not on any databases YOU create. Please make sure to edit
this file and use host based security.
--
Christofer C. Bell Systems Analyst
OSSC - Systems Management email: cbell@inetdb.com
Sprint Communications phone: 913-534-2535
