MySQL Preacher » usernames http://mysqlpreacher.com/wordpress Because Sharing is Caring Sat, 14 Apr 2012 17:45:05 +0000 en hourly 1 http://wordpress.org/?v=3.1.4 MySQL anonymous accounts – User=”, Host=’%’ – CODE RED http://mysqlpreacher.com/wordpress/2009/10/mysql-anonymous-accounts-user-host-code-red/ http://mysqlpreacher.com/wordpress/2009/10/mysql-anonymous-accounts-user-host-code-red/#comments Mon, 05 Oct 2009 13:50:30 +0000 Darren Cassar http://mysqlpreacher.com/wordpress/?p=297 I want to highlight the importance of reviewing mysql’s initial set of accounts.
Say you have a mysql on abc.def.ghi.jkl running on port 3306 anonymous account with privileges without a password, then:
1. mysql (if issued on localhost)
2. mysql -h abc.def.ghi.jkl
3. mysql -u ” -h abc.def.ghi.jkl
4. mysql -u ” -h abc.def.ghi.jkl -P 3306
5. mysql -u user_which_does_not_exist -h abc.def.ghi.jkl

will all manage to get into mysql given the way mysql authenticates users is against your username and client host from where you are connecting.

This verification is done versus the following columns in the mysql.user table, i.e., User,Host and Password columns.
An entry in the mysql.user table with the following values User=”, Host=’%’ will accept ANY user connecting from ANYWHERE in the world, thus disabling ANY security. Hence the reason for this blog post highlighting the importance of dropping such accounts, at least in all environments apart from dev.

Further information at:

http://dev.mysql.com/doc/refman/5.1/en/connection-access.html

]]> http://mysqlpreacher.com/wordpress/2009/10/mysql-anonymous-accounts-user-host-code-red/feed/ 0