lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <200601280045.AAA27754@simpson.demon.co.uk>
Date: Sat, 28 Jan 2006 00:44:34 +0000
From: Duncan Simpson <dps@...pson.demon.co.uk>
To: bugtraq@...urityfocus.com
Subject: Re: MySQL 5.0 information leak?



Nobody has mentioned this yet, so maybe I should. Accpording to the MySQL 
documentation the infromation schema is database and there is no suggestion 
that the access controls do not work. You should be able to determine who has 
what access to the information schema using standard grant and revoke commands.

I know my database using code has no need for the information schema, because 
the queries and types of the results are both fixed in advance, albeit with 
some limited variable portions. The obvious tools not working, due to lack of 
access to the database schema, might slow down some crackers by a worthwhile amount.

The original poster might be well serverd by a program that does predetermined 
queries, using a restricted identity for extra security, and keeps the 
connection detials to itself. (I do not think obscuring the database structure 
is worth much except as one of a wider set of security measures.)
--k0QLwNOi013478.1138312704/mail.simpson.demon.co.uk
Content-Type: text/plain

Duncan (-:
"software industry, the: unique industry where selling substandard goods is
legal and you can charge extra for fixing the problems."




Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ