MySQL authentication vulnerability upgrade to 5 5 24 can be amended

this morning I opened the computer, saw an amazing thread: broke a lot of security vulnerabilities in seclists, affecting almost all version 5.1 to 5.5. The module of the problem is the part of the password check (password.c) that is logged on, and in the case of a user name (such as root), it is possible to log in again and again (about 256 times). However, MySQL authentication is the use of 3 tuple, username, IP, password. If the client IP in the mysql.user table can not find the corresponding, can not log.

this BUG was actually discovered as early as April, and in May 7th of this year, when MySQL released 5.5.24, the BUG was fixed.

vulnerability analysis:

the problem code is as follows:

Check that scrambled message corresponds /*

Leave a Reply

Your email address will not be published. Required fields are marked *