lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <200601201305.04525@bwurst.org>
Date: Fri, 20 Jan 2006 13:05:02 +0100
From: Bernd Wurst <bernd@...rst.org>
To: bugtraq@...urityfocus.com
Subject: MySQL 5.0 information leak?

Hi.

I just upgraded to mysql 5.0.18 and started using all those cool new 
features. :)

But concerning VIEWs, I think the information_schema is too verbose to 
the user. I started creating a VIEW that searches information from 
several tables, mangles the data and gives the user a clean table with 
his data. So far, so good.

But I only give the user access to this VIEW, so he cannot see what's 
done to get his data from several tables.

SHOW CREATE VIEW myview;
does (correctly) result in an error that the user is not allowed to see 
the CREATE VIEW.

But SELECT * FROM information_schema.views; returns the full query that 
ceates the desired VIEW.

I think of this as a security issue because I have user accounts (nss) 
that have publicly available credentials but noone should be able to 
see how the database really is organized. 

What do you think of this? Bug?

cu, Bernd

-- 
Windows Error 019: User error. It's not our fault. Is not! Is not!

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ