Quote:
A simple but serious MySQL and MariaDB authentication bypass flaw has been revealed by MariaDB security coordinator Sergei Golubchik, and exploits targeting it have already been found in the wild.
An attacker who knows a correct username (usually the ubiquitous "root") can easily connect using a random password by repeating connection attempts.
"~300 attempts takes only a fraction of second, so basically account password protection is as good as nonexistent," wrote Golubchik.
|
Quote:
|
Metaisploit's HD Moore says that, so far, 64-bit versions of Ubuntu Linux, OpenSuSE 12.1 64-bit, Fedora 16 64-bit and Arch Linux have been found to have vulnerable MySQL releases, while a number of Debian, Gentoo, CentOS and SuSE versions - as well as the official builds from MySQL and MariaDB - seem not to be affected.
|
MariaDB and MySQL versions up to 5.1.61, 5.2.11, 5.3.5, 5.5.22 are vulnerable