| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 28 Jan 2006 00:44:34 +0000 From: Duncan Simpson <dps@...pson.demon.co.uk> To: bugtraq@...urityfocus.com Subject: Re: MySQL 5.0 information leak? Nobody has mentioned this yet, so maybe I should. Accpording to the MySQL documentation the infromation schema is database and there is no suggestion that the access controls do not work. You should be able to determine who has what access to the information schema using standard grant and revoke commands. I know my database using code has no need for the information schema, because the queries and types of the results are both fixed in advance, albeit with some limited variable portions. The obvious tools not working, due to lack of access to the database schema, might slow down some crackers by a worthwhile amount. The original poster might be well serverd by a program that does predetermined queries, using a restricted identity for extra security, and keeps the connection detials to itself. (I do not think obscuring the database structure is worth much except as one of a wider set of security measures.) --k0QLwNOi013478.1138312704/mail.simpson.demon.co.uk Content-Type: text/plain Duncan (-: "software industry, the: unique industry where selling substandard goods is legal and you can charge extra for fixing the problems."
Powered by blists - more mailing lists