[42462] in bugtraq

home help back first fref pref prev next nref lref last post

Re: MySQL 5.0 information leak?

daemon@ATHENA.MIT.EDU (Johan De Meersman)
Thu Jan 26 18:04:24 2006

Message-ID: <43D60B06.2030302@operamail.com>
Date: Tue, 24 Jan 2006 12:09:58 +0100
From: Johan De Meersman <jdm@operamail.com>
MIME-Version: 1.0
Cc: bugtraq@securityfocus.com
In-Reply-To: <00d701c61e30$c7086f00$f400ca0a@burtonstrauss.local>
Content-Type: multipart/signed; micalg=pgp-sha1;
 protocol="application/pgp-signature";
 boundary="------------enig5CC41A9FDC7BFAB03B9A4B31"

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig5CC41A9FDC7BFAB03B9A4B31
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

Burton Strauss wrote:

>Traditionally the schema for a database is NOT secure information.
>Applications download this information to build queries on the fly.
>
>The essential problem is relying on security by obscurity, "I have user
>accounts (nss) that have publicly available credentials but noone [sic]
>should be able to see how the database really is organized".
>  
>

I don't agree - basic security says that no user should have more access
than he strictly needs. A user that only uses a fixed set of queries
doesn't need to see how the database is laid out - if he can, an
attacker wouldn't need to guess the names of other fields that may
contain sensitive information.

Obviously those fields should be access-restricted as well, but you
shouldn't make things easier on any front.


-- 
You prefer the company of the opposite sex, but are well liked by your own.
-- 

Public GPG key at blackhole.pca.dfn.de

GCS/IT d- s:+ a- C(+++)$ UL++++$ P+++(++++)$ L++(+++)$ !E- W+(+++)$
N+(++) o K w$ !O !M V PS(++)@ PE-(++)@ Y+ PGP++(+++) t(+) 5 X R tv--
b++(++++) DI++(++++) D++ G e++>+++++ h(+) r y+**


--------------enig5CC41A9FDC7BFAB03B9A4B31
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFD1gsHxz0AbiB4HpQRAvpTAJ9KZOS5FT2D5sl/nOvMr3qLK5NfOgCgmYG6
ZxfxLeTbf9yi1MXQPlx2FDo=
=2TR6
-----END PGP SIGNATURE-----

--------------enig5CC41A9FDC7BFAB03B9A4B31--

home help back first fref pref prev next nref lref last post