BugTraq
MySQL 5.0 information leak? Jan 20 2006 12:05PM
Bernd Wurst (bernd bwurst org) (2 replies)
RE: MySQL 5.0 information leak? Jan 21 2006 02:17AM
Burton Strauss (Security SmallNetSolutions com) (1 replies)
Traditionally the schema for a database is NOT secure information.
Applications download this information to build queries on the fly.

The essential problem is relying on security by obscurity, "I have user
accounts (nss) that have publicly available credentials but noone [sic]
should be able to see how the database really is organized".

-----Burton

-----Original Message-----
From: Bernd Wurst [mailto:bernd (at) bwurst (dot) org [email concealed]]
Sent: Friday, January 20, 2006 6:05 AM
To: bugtraq (at) securityfocus (dot) com [email concealed]
Subject: MySQL 5.0 information leak?

Hi.

I just upgraded to mysql 5.0.18 and started using all those cool new
features. :)

But concerning VIEWs, I think the information_schema is too verbose to the
user. I started creating a VIEW that searches information from several
tables, mangles the data and gives the user a clean table with his data. So
far, so good.

But I only give the user access to this VIEW, so he cannot see what's done
to get his data from several tables.

SHOW CREATE VIEW myview;
does (correctly) result in an error that the user is not allowed to see the
CREATE VIEW.

But SELECT * FROM information_schema.views; returns the full query that
ceates the desired VIEW.

I think of this as a security issue because I have user accounts (nss) that
have publicly available credentials but noone should be able to see how the
database really is organized.

What do you think of this? Bug?

cu, Bernd

--
Windows Error 019: User error. It's not our fault. Is not! Is not!

[ reply ]
Re: MySQL 5.0 information leak? Jan 24 2006 11:09AM
Johan De Meersman (jdm operamail com)
Re: MySQL 5.0 information leak? Jan 21 2006 12:30AM
Stephen Frost (sfrost snowman net)


 

Privacy Statement
Copyright 2010, SecurityFocus