| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <43D60B06.2030302@operamail.com>
Date: Tue, 24 Jan 2006 12:09:58 +0100
From: Johan De Meersman <jdm@...ramail.com>
Cc: bugtraq@...urityfocus.com
Subject: Re: MySQL 5.0 information leak?
Burton Strauss wrote:
>Traditionally the schema for a database is NOT secure information.
>Applications download this information to build queries on the fly.
>
>The essential problem is relying on security by obscurity, "I have user
>accounts (nss) that have publicly available credentials but noone [sic]
>should be able to see how the database really is organized".
>
>
I don't agree - basic security says that no user should have more access
than he strictly needs. A user that only uses a fixed set of queries
doesn't need to see how the database is laid out - if he can, an
attacker wouldn't need to guess the names of other fields that may
contain sensitive information.
Obviously those fields should be access-restricted as well, but you
shouldn't make things easier on any front.
--
You prefer the company of the opposite sex, but are well liked by your own.
--
Public GPG key at blackhole.pca.dfn.de
GCS/IT d- s:+ a- C(+++)$ UL++++$ P+++(++++)$ L++(+++)$ !E- W+(+++)$
N+(++) o K w$ !O !M V PS(++)@ PE-(++)@ Y+ PGP++(+++) t(+) 5 X R tv--
b++(++++) DI++(++++) D++ G e++>+++++ h(+) r y+**
Download attachment "signature.asc" of type "application/pgp-signature" (190 bytes)
Powered by blists - more mailing lists