So one can merely get shell access as the unprivileged server process user rather than as the superuser.
It's interesting to see how many people look at this and react "Whoa! Shell access!" or "Whoa! Malicious shared library injection!", and how few have commented on the fact (almost treated as a minor sideline) that one vector for the exploit involves setting up database triggers that run with SUPER privileges.
"Whoa! Attackers (with FILE privilege) can alter your purchase orders and invoices, steal your contacts and confidential customer account information, change inventory records, and forge identities." No shell access or shared libraries involved.
But that's been known as CVE-2012-5613 for some time. (-:
It's interesting to see how many people look at this and react "Whoa! Shell access!" or "Whoa! Malicious shared library injection!", and how few have commented on the fact (almost treated as a minor sideline) that one vector for the exploit involves setting up database triggers that run with SUPER privileges.
"Whoa! Attackers (with FILE privilege) can alter your purchase orders and invoices, steal your contacts and confidential customer account information, change inventory records, and forge identities." No shell access or shared libraries involved.
But that's been known as CVE-2012-5613 for some time. (-: