[MDEV-3909] remote user enumeration - Jira

Details

Type: Bug
Status: Closed (View Workflow)
Priority: Major
Resolution: Fixed
Affects Version/s: 5.5.28a, 5.3.11, 5.2.13, 5.1.66
Fix Version/s: 5.5.29, 5.2.14, 5.3.12
Component/s: None
Labels:
None

Description

During the initial handshake, the server replies immediately to the incorrect user name with "Access denied". But if the user name is correct, but the authentication mechanism is not - like a short scramble, when a long one is needed, or a plugin should be used - the server might reply "try different auth plugin (or scamble length)".

This allows to detect what user accounts exists in the server.

Attachments

Activity

Ascending order - Click to sort in descending order

Sergei Golubchik added a comment - 2012-12-02 21:14 - edited

This is CVE-2012-5615 and http://seclists.org/fulldisclosure/2012/Dec/9

Sergei Golubchik added a comment - 2012-12-02 21:14 - edited This is CVE-2012-5615 and http://seclists.org/fulldisclosure/2012/Dec/9

Laurynas Biveinis added a comment - 2014-03-17 14:44

This is https://bugs.launchpad.net/percona-server/+bug/1171941 for Percona Server

Laurynas Biveinis added a comment - 2014-03-17 14:44 This is https://bugs.launchpad.net/percona-server/+bug/1171941 for Percona Server

People

Assignee:: Sergei Golubchik

Reporter:: Sergei Golubchik

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 2012-12-02 21:13

Updated:: 2014-03-17 14:44

Resolved:: 2013-01-25 12:48

Git Integration

Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.

MariaDB Server