[<prev] [next>] [day] [month] [year] [list]
Message-ID: <200601280045.AAA27754@simpson.demon.co.uk>
Date: Sat, 28 Jan 2006 00:44:34 +0000
From: Duncan Simpson <dps@...pson.demon.co.uk>
To: bugtraq@...urityfocus.com
Subject: Re: MySQL 5.0 information leak?
Nobody has mentioned this yet, so maybe I should. Accpording to the MySQL
documentation the infromation schema is database and there is no suggestion
that the access controls do not work. You should be able to determine who has
what access to the information schema using standard grant and revoke commands.
I know my database using code has no need for the information schema, because
the queries and types of the results are both fixed in advance, albeit with
some limited variable portions. The obvious tools not working, due to lack of
access to the database schema, might slow down some crackers by a worthwhile amount.
The original poster might be well serverd by a program that does predetermined
queries, using a restricted identity for extra security, and keeps the
connection detials to itself. (I do not think obscuring the database structure
is worth much except as one of a wider set of security measures.)
--k0QLwNOi013478.1138312704/mail.simpson.demon.co.uk
Content-Type: text/plain
Duncan (-:
"software industry, the: unique industry where selling substandard goods is
legal and you can charge extra for fixing the problems."
Powered by blists - more mailing lists