A security flaw the discoverer described as "tragically comedic" exposes nearly 900,000 Internet-connected servers to attack by anyone who can come up with even one legitimate username and is willing to try logging in 256 times.
MySQL and MariaDB databases both assign an SHA-encrypted token to every user who logs in to the server so users only have to log in at the beginning of the session, not every time they send a request to the database.
Due to an error in the way they compare the token to an expected value, some editions of the database can't tell if the login is authentic or not They assume it is and allow the user access whether the password is correct or not, according
to an alert posted Saturday by MariaDB Security Coordinator Sergei Golubchik.
