[42355] in bugtraq
MySQL 5.0 information leak?
daemon@ATHENA.MIT.EDU (Bernd Wurst)
Fri Jan 20 18:15:10 2006
From: Bernd Wurst <bernd@bwurst.org>
To: bugtraq@securityfocus.com
Date: Fri, 20 Jan 2006 13:05:02 +0100
MIME-Version: 1.0
Content-Type: multipart/signed;
boundary="nextPart1525620.duXLNTX6Vj";
protocol="application/pgp-signature";
micalg=pgp-sha1
Content-Transfer-Encoding: 7bit
Message-Id: <200601201305.04525@bwurst.org>
--nextPart1525620.duXLNTX6Vj
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
Hi.
I just upgraded to mysql 5.0.18 and started using all those cool new=20
features. :)
But concerning VIEWs, I think the information_schema is too verbose to=20
the user. I started creating a VIEW that searches information from=20
several tables, mangles the data and gives the user a clean table with=20
his data. So far, so good.
But I only give the user access to this VIEW, so he cannot see what's=20
done to get his data from several tables.
SHOW CREATE VIEW myview;
does (correctly) result in an error that the user is not allowed to see=20
the CREATE VIEW.
But SELECT * FROM information_schema.views; returns the full query that=20
ceates the desired VIEW.
I think of this as a security issue because I have user accounts (nss)=20
that have publicly available credentials but noone should be able to=20
see how the database really is organized.=20
What do you think of this? Bug?
cu, Bernd
=2D-=20
Windows Error 019: User error. It's not our fault. Is not! Is not!
--nextPart1525620.duXLNTX6Vj
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iQIVAwUAQ9DR7w0b18vi86Q/AQJG7w//aszB8jx7a/upqgnUWmRugZWWzxaYRnAB
m4SSCyslZUbimLgvkhzwMr2g+Ox55n7bTD7vJ6PDCiIVq3pjNP7Qt87Dq4Yy3LF8
lvsEwaPUsIpTqnWqnB4t53ONEIEClBcehpWZVamAOKETAuM4gxPiivckAc9BUppc
jFqsCEpYuOyT83ZLL5vmp24Y4xigH5N883NrQ1WSgTHh9Ahp5CCJqKx7prYajA4k
iKDCD+GJ/oEvPhnUEjAHL57X1KMQbd3p25AKWam8+F68xKMBPgtJKG/ALZUZYMEx
A8JZfgplA/1m84SWE7Smb0TuWI4abqK6815ncSzVnI0oginKvSSTcA6XZ535YE7O
LlE+XyqL2rrth7UsdPKO5ZiGCJ9v424LRAKYkThQ3oH8YyS2PO3kmiOPcnuY81fp
odnnJjrirHYOvndPMALUAUoXnBwm+6yucrCbDpffEh/gNx4/wMIEMIjtYOl+jwSg
X1VGSuUW00iBToRvpMQCIbjiM/PJLUkMkOQA9wzJPt6FVQMFKdwu0Ee574GV2LaB
La/m5U37jwkcbzxjwTpcl/5TXvpBok1/9N4/uUHyah3JMW8HOlsgVv1WCLmO+/VA
NOnjz3ogY/1p4TEU3HDPyqOpkVgKRmlAyoPEXprTt1HbJvgrVwVEYtmanAtx6D4r
n3CBsmADou8=
=eDS1
-----END PGP SIGNATURE-----
--nextPart1525620.duXLNTX6Vj--
