Bugtraq mailing list archives
Re: MySQL 5.0 information leak?
From: Johan De Meersman <jdm () operamail com>
Date: Tue, 24 Jan 2006 12:09:58 +0100
Burton Strauss wrote:
Traditionally the schema for a database is NOT secure information. Applications download this information to build queries on the fly. The essential problem is relying on security by obscurity, "I have user accounts (nss) that have publicly available credentials but noone [sic] should be able to see how the database really is organized".
I don't agree - basic security says that no user should have more access than he strictly needs. A user that only uses a fixed set of queries doesn't need to see how the database is laid out - if he can, an attacker wouldn't need to guess the names of other fields that may contain sensitive information. Obviously those fields should be access-restricted as well, but you shouldn't make things easier on any front. -- You prefer the company of the opposite sex, but are well liked by your own. -- Public GPG key at blackhole.pca.dfn.de GCS/IT d- s:+ a- C(+++)$ UL++++$ P+++(++++)$ L++(+++)$ !E- W+(+++)$ N+(++) o K w$ !O !M V PS(++)@ PE-(++)@ Y+ PGP++(+++) t(+) 5 X R tv-- b++(++++) DI++(++++) D++ G e++>+++++ h(+) r y+**
Attachment:
signature.asc
Description: OpenPGP digital signature
Current thread:
- MySQL 5.0 information leak? Bernd Wurst (Jan 20)
- RE: MySQL 5.0 information leak? Burton Strauss (Jan 21)
- Re: MySQL 5.0 information leak? Johan De Meersman (Jan 26)
- Re: MySQL 5.0 information leak? Stephen Frost (Jan 23)
- <Possible follow-ups>
- Re: MySQL 5.0 information leak? Lance James (Jan 26)
- RE: MySQL 5.0 information leak? Burton Strauss (Jan 26)
- Re: MySQL 5.0 information leak? Duncan Simpson (Jan 30)
- RE: MySQL 5.0 information leak? Burton Strauss (Jan 21)