On 8/27/07, Yuri Astrakhan yuriastrakhan@gmail.com wrote:
Ouch, thanks Simetrical. I guess "user_password" should not be allowed in any "explain" queries. Any other risky ones out there?
On the other hand - this only introduces another possibility of a login - same as going through the regular login page. I can't think how it would be a security risk - automated running through a list of md5 hashes. We could implement a memcached solution so that no more than 10 queries would run per minute.
EXPLAIN SELECT * FROM user WHERE user_name='Simetrical' AND user_password REGEXP '^[0-7].*'; ... It should only take a maximum of 128 queries to read the entire MD5 one bit at a time starting with no starting info. This isn't the same as a bruteforce shortcut. You can't solve this with a delay or a captcha.
There are a bunch of fields that need to be protected (rc_ip, for example.. user prefs.. watchlist table...). To really make the tool useful is has to be very flexible in what it accepts. I looked at building something like this for toolserver users a while back and decided it would be too much work to get it right.