

MySQL Local/Remote Account Password Cracking - ibotty
http://lists.grok.org.uk/pipermail/full-disclosure/2012-December/089076.html

======
ibotty
previously by kingcope:

<http://seclists.org/fulldisclosure/2012/Dec/2>

<http://seclists.org/fulldisclosure/2012/Dec/4>

<http://seclists.org/fulldisclosure/2012/Dec/5>

<http://seclists.org/fulldisclosure/2012/Dec/6>

<http://seclists.org/fulldisclosure/2012/Dec/8>

5 other exploits/weaknesses. i am curious what will come in the next few
weeks.

------
Nick_C
Off the top of my head, I can't think of a case where a user script absolutely
needs change_user to return quickly. Sounds like change_user should be
modified to return only after a delay, say 1 second.

~~~
robbles
It's sometimes used to clear the connection state with persistent connections
to the database (say for example in a high-traffic web app). Changing to the
same user clears any state and local settings from the previous use of the
connection and cancels the current transaction (I believe).

~~~
Bakkot
Easy enough to make it return instantly when switching to the current user.
This would still allow for someone to crack their own password (a problem if
someone has access to the database without having the password, say by an SQL
injection), but would mitigate most of the problem without breaking things for
almost anyone.

------
piqufoh
This post (and previous) make for good reading, kudos king cope!

------
M4N14C
Ha, can't crack mine it's ''

