Bugtraq mailing list archives
Re: MySQL 5.0 information leak?
From: Duncan Simpson <dps () simpson demon co uk>
Date: Sat, 28 Jan 2006 00:44:34 +0000
Nobody has mentioned this yet, so maybe I should. Accpording to the MySQL documentation the infromation schema is database and there is no suggestion that the access controls do not work. You should be able to determine who has what access to the information schema using standard grant and revoke commands. I know my database using code has no need for the information schema, because the queries and types of the results are both fixed in advance, albeit with some limited variable portions. The obvious tools not working, due to lack of access to the database schema, might slow down some crackers by a worthwhile amount. The original poster might be well serverd by a program that does predetermined queries, using a restricted identity for extra security, and keeps the connection detials to itself. (I do not think obscuring the database structure is worth much except as one of a wider set of security measures.) --k0QLwNOi013478.1138312704/mail.simpson.demon.co.uk Content-Type: text/plain Duncan (-: "software industry, the: unique industry where selling substandard goods is legal and you can charge extra for fixing the problems."
Current thread:
- MySQL 5.0 information leak? Bernd Wurst (Jan 20)
- RE: MySQL 5.0 information leak? Burton Strauss (Jan 21)
- Re: MySQL 5.0 information leak? Johan De Meersman (Jan 26)
- Re: MySQL 5.0 information leak? Stephen Frost (Jan 23)
- <Possible follow-ups>
- Re: MySQL 5.0 information leak? Lance James (Jan 26)
- RE: MySQL 5.0 information leak? Burton Strauss (Jan 26)
- Re: MySQL 5.0 information leak? Duncan Simpson (Jan 30)
- RE: MySQL 5.0 information leak? Burton Strauss (Jan 21)