Re: MySQL 5.0 information leak?

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: MySQL 5.0 information leak?
From: Duncan Simpson <dps@xxxxxxxxxxxxxxxxxxx>
Date: Sat, 28 Jan 2006 00:44:34 +0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Sender: dps@xxxxxxxxxxxxxxxxxxx

Nobody has mentioned this yet, so maybe I should. Accpording to the MySQL 
documentation the infromation schema is database and there is no suggestion 
that the access controls do not work. You should be able to determine who has 
what access to the information schema using standard grant and revoke commands.

I know my database using code has no need for the information schema, because 
the queries and types of the results are both fixed in advance, albeit with 
some limited variable portions. The obvious tools not working, due to lack of 
access to the database schema, might slow down some crackers by a worthwhile 
amount.

The original poster might be well serverd by a program that does predetermined 
queries, using a restricted identity for extra security, and keeps the 
connection detials to itself. (I do not think obscuring the database structure 
is worth much except as one of a wider set of security measures.)
--k0QLwNOi013478.1138312704/mail.simpson.demon.co.uk
Content-Type: text/plain

Duncan (-:
"software industry, the: unique industry where selling substandard goods is
legal and you can charge extra for fixing the problems."

Prev by Date: zbattle.net
Next by Date: Cross Site Cooking
Previous by thread: RE: MySQL 5.0 information leak?
Next by thread: [SECURITY] [DSA 947-1] New ClamAV packages fix heap overflow
Index(es):
- Date
- Thread