# MySQL bug: access with shell code



## Gio01 (May 16, 2012)

Hello.
I have one bug but all version server mysql is affect on this bug:
my friend can access whit one shell and dont put datas and password.
And him can bypass login secure.
How i can block it? Thank you

My friend can access my MySQL server from the command line without a password. How can I block this?


----------



## SirDice (May 16, 2012)

Not enough information. Please post the exact vulnerability.

If it's this one: http://www.securityfocus.com/bid/10654/discuss you need to seriously update your system as that bug is extremely old.


----------



## Gio01 (May 16, 2012)

I Have freebsd 8.2 64bit
Mysql version is 5.5.22
My friend work on your shell and him said can connect whitout user e password and can do anything we want.
I don't know how to fix this issue...

FreeBSD 8.2, 64 bit. MySQL 5.5.22.


----------



## SirDice (May 16, 2012)

Show us how he did it. I don't know how to fix the issue if I don't know what the problem is.


----------



## Gio01 (May 16, 2012)

In short, my friend with a shell bugs, can log into all existing mysql without id and password

My friend can log into MySQL server without username and password.


----------



## SirDice (May 16, 2012)

I'm not clairvoyant. I'm not a mindreader either.

In short, I can't tell you what's going on because I have no idea what your friend does.


----------



## Gio01 (May 16, 2012)

but what is not clear that my friend has a shell and enter to mysql without any data?

But how does my friend enter MySQL server without data?


----------



## SirDice (May 16, 2012)

I get that. Just not what exactly he does to get access.


----------



## Gio01 (May 16, 2012)

It takes a shell and exploit a flaw in mysql 5.5.22 
I just need to know how to block whit shell access

It's a shell exploit of a flaw in MySQL 5.5.22. I just need to know how to block it.


----------



## SirDice (May 16, 2012)

What flaw? How about updating to 5.5.24?


----------



## Gio01 (May 16, 2012)

Him only say : work whit one shell to bypass login system.
Maybe i upgrade.. how i can?

He says he can bypass the login system from the shell. How can I upgrade?


----------



## SirDice (May 16, 2012)

[thread=26140]HOWTO: keeping FreeBSD's base system and packages up-to-date[/thread]


----------



## usdmatt (May 16, 2012)

Are you sure this is actually a bug and not that you just haven't set a root password?


```
mysqladmin -u root password 'newpassword'
```

A default install of MySQL will allow full access from localhost by just running mysql -u root.

I'll be very surprised if there's a current bug that allows console login without a password when one has been set. If there is and your friend knows enough about it to take advantage, surely he knows what the bug is and the fix? (either by upgrading to a version without the bug or changing some configuration)


----------



## Gio01 (May 16, 2012)

I have set password.  My friend doesn't tell how do it.


----------



## SirDice (May 16, 2012)

@usdmatt: Yeah, thought of that. There are also various test accounts that will give access. Proper administration fixes that issue. And I wouldn't want to call it a bug, just a badly configured application.

That's why I really want to know exactly what commands his friend uses. Or else we'll be shooting in the dark until the cows come home.

@Gio01: Did you actually read anything I posted?


----------



## Gio01 (May 16, 2012)

I have read and i have updated but same problem.
This is bug. How i can fix?
I worked about 3 day and nothing to solution.

One ban ip can solve that?



UPDATE: my friend told that:
enters a query 0psw the "standard" with a little tweaking adapted to mysql db

The problem persists after an update. How can I fix this bug? Can I use an IP ban?

My friend told me that he "enters a query 0psw the "standard" with a little tweaking adapted to mysql db"


----------



## SirDice (May 16, 2012)

Ask your friend to show it to you. Take notes, write everything down what he does. Post that information here.


----------



## DutchDaemon (May 16, 2012)

My head hurts. 

Gio, if your next post does not contain any usable information that actually illustrates the problem or "hack", this thread will not survive. It is without any merit. 

And please invest some effort into writing proper posts: http://forums.freebsd.org/showthread.php?t=18043


----------

