lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <003601c61fcb$e32d8070$648ea8c0@burtonstrauss.local>
Date: Sun, 22 Jan 2006 21:19:53 -0600
From: "Burton Strauss" <Security@...llNetSolutions.com>
To: "'Lance James'" <bugtraq@...urescience.net>
Cc: "'Bernd Wurst'" <bernd@...rst.org>, <bugtraq@...urityfocus.com>
Subject: RE: MySQL 5.0 information leak?


It's not semantics at all.  Every password is a piece of undisclosed
information and NOBODY views that as security by obscurity.  It's the corner
stone of AAA ... Something you know, something you have, something about
you.

-----Burton 

-----Original Message-----
From: Lance James [mailto:bugtraq@...urescience.net] 
Sent: Sunday, January 22, 2006 10:48 AM
To: Burton Strauss
Cc: 'Bernd Wurst'; bugtraq@...urityfocus.com
Subject: Re: MySQL 5.0 information leak?

Burton Strauss wrote:

>I'd get a refund on your coinage... root's password is not security by 
>obscurity, it is an undisclosed piece of information.  There is a big 
>difference.
>  
>

Now we're arguing symantics, undislosed information would also by the MySQL
information leak problem then too, as Bernd doesn't want to disclose such
information to an attacker.

>-----Burton
>
>-----Original Message-----
>From: Lance James [mailto:bugtraq@...urescience.net]
>Sent: Saturday, January 21, 2006 2:09 PM
>To: Burton Strauss
>Cc: 'Bernd Wurst'; bugtraq@...urityfocus.com
>Subject: Re: MySQL 5.0 information leak?
>
>Burton Strauss wrote:
>
>  
>
>>Traditionally the schema for a database is NOT secure information.
>>Applications download this information to build queries on the fly.
>>
>>The essential problem is relying on security by obscurity, "I have 
>>user accounts (nss) that have publicly available credentials but noone 
>>[sic] should be able to see how the database really is organized".
>> 
>>
>>    
>>
>
>Denying the security through obscurity is not applicable could be
incorrect.
>It does have it's place i.e. what's your root password?
>
>In WebAppSec, security by obscurity assists in deterring attackers, and 
>buying some time. So if one can prevent full disclosure of the schema 
>of the db, that can be useful combined with security in depth.
>
>my two cents.
>
>-Lance
>
>  
>
>>-----Burton
>>
>>-----Original Message-----
>>From: Bernd Wurst [mailto:bernd@...rst.org]
>>Sent: Friday, January 20, 2006 6:05 AM
>>To: bugtraq@...urityfocus.com
>>Subject: MySQL 5.0 information leak?
>>
>>Hi.
>>
>>I just upgraded to mysql 5.0.18 and started using all those cool new 
>>features. :)
>>
>>But concerning VIEWs, I think the information_schema is too verbose to 
>>the user. I started creating a VIEW that searches information from 
>>several tables, mangles the data and gives the user a clean table with 
>>his data. So far, so good.
>>
>>But I only give the user access to this VIEW, so he cannot see what's 
>>done to get his data from several tables.
>>
>>SHOW CREATE VIEW myview;
>>does (correctly) result in an error that the user is not allowed to 
>>see the CREATE VIEW.
>>
>>But SELECT * FROM information_schema.views; returns the full query 
>>that ceates the desired VIEW.
>>
>>I think of this as a security issue because I have user accounts (nss) 
>>that have publicly available credentials but noone should be able to 
>>see how the database really is organized.
>>
>>What do you think of this? Bug?
>>
>>cu, Bernd
>>
>>--
>>Windows Error 019: User error. It's not our fault. Is not! Is not!
>>
>>
>> 
>>
>>    
>>
>
>
>  
>



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ