[42462] in bugtraq
Re: MySQL 5.0 information leak?
daemon@ATHENA.MIT.EDU (Johan De Meersman)
Thu Jan 26 18:04:24 2006
Message-ID: <43D60B06.2030302@operamail.com>
Date: Tue, 24 Jan 2006 12:09:58 +0100
From: Johan De Meersman <jdm@operamail.com>
MIME-Version: 1.0
Cc: bugtraq@securityfocus.com
In-Reply-To: <00d701c61e30$c7086f00$f400ca0a@burtonstrauss.local>
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature";
boundary="------------enig5CC41A9FDC7BFAB03B9A4B31"
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig5CC41A9FDC7BFAB03B9A4B31
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Burton Strauss wrote:
>Traditionally the schema for a database is NOT secure information.
>Applications download this information to build queries on the fly.
>
>The essential problem is relying on security by obscurity, "I have user
>accounts (nss) that have publicly available credentials but noone [sic]
>should be able to see how the database really is organized".
>
>
I don't agree - basic security says that no user should have more access
than he strictly needs. A user that only uses a fixed set of queries
doesn't need to see how the database is laid out - if he can, an
attacker wouldn't need to guess the names of other fields that may
contain sensitive information.
Obviously those fields should be access-restricted as well, but you
shouldn't make things easier on any front.
--
You prefer the company of the opposite sex, but are well liked by your own.
--
Public GPG key at blackhole.pca.dfn.de
GCS/IT d- s:+ a- C(+++)$ UL++++$ P+++(++++)$ L++(+++)$ !E- W+(+++)$
N+(++) o K w$ !O !M V PS(++)@ PE-(++)@ Y+ PGP++(+++) t(+) 5 X R tv--
b++(++++) DI++(++++) D++ G e++>+++++ h(+) r y+**
--------------enig5CC41A9FDC7BFAB03B9A4B31
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFD1gsHxz0AbiB4HpQRAvpTAJ9KZOS5FT2D5sl/nOvMr3qLK5NfOgCgmYG6
ZxfxLeTbf9yi1MXQPlx2FDo=
=2TR6
-----END PGP SIGNATURE-----
--------------enig5CC41A9FDC7BFAB03B9A4B31--