diff options
| author | Anirudh Mangipudi <anirudh.mangipudi@oracle.com> | 2013-10-18 17:14:39 +0530 |
|---|---|---|
| committer | Anirudh Mangipudi <anirudh.mangipudi@oracle.com> | 2013-10-18 17:14:39 +0530 |
| commit | 18079ac9b82a3af4e0686a8da58499523e5677ef (patch) | |
| tree | fd17e63a09f8c0d70c96c2ec6d6f4c81b4a5f032 /sql | |
| parent | 6fd6b38c719e311df70a3c6cafa8c6a1847ddf6d (diff) | |
| download | mariadb-git-18079ac9b82a3af4e0686a8da58499523e5677ef.tar.gz | |
Bug #17357535 BACKPORT BUG#16241992 TO 5.5
Problem:
COM_CHANGE_USER allows brute-force attempts to crack a password at a very high
rate as it does not cause any significant delay after a login attempt has
failed. This issue was reproduced using John-The-Ripper password
cracking tool through which about 5000 passwords per second could be attempted.
Solution:
The non-GA version's solution was to disconnect the connection when a login
attempt failed. Now since our aim to to reduce the rate at which passwords
are tested, we introduced a sleep(1) after every login attempt failed. This
significantly increased the delay with which the password was cracked.
Diffstat (limited to 'sql')
| -rw-r--r-- | sql/sql_parse.cc | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/sql/sql_parse.cc b/sql/sql_parse.cc index f787fe4058f..6e2b422bd44 100644 --- a/sql/sql_parse.cc +++ b/sql/sql_parse.cc @@ -971,6 +971,7 @@ bool dispatch_command(enum enum_server_command command, THD *thd, thd->variables.collation_connection= save_collation_connection; thd->variables.character_set_results= save_character_set_results; thd->update_charset(); + sleep(1); } else { |