Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Bugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: MySQL 5.0 information leak?

from [Lance James] Network Security [Permanent Link]
Subject: Re: MySQL 5.0 information leak?
Date: Sun, 22 Jan 2006 08:48:21 -0800 
Burton Strauss wrote:


I'd get a refund on your coinage... root's password is not security by
obscurity, it is an undisclosed piece of information.  There is a big
difference.
 



Now we're arguing symantics, undislosed information would also by the
MySQL information leak problem then too, as Bernd doesn't want to
disclose such information to an attacker.


-----Burton

-----Original Message-----
From: Lance James [mailto:bugtraq@securescience.net] 
Sent: Saturday, January 21, 2006 2:09 PM
To: Burton Strauss
Cc: 'Bernd Wurst'; bugtraq@securityfocus.com
Subject: Re: MySQL 5.0 information leak?

Burton Strauss wrote:

 


Traditionally the schema for a database is NOT secure information.
Applications download this information to build queries on the fly.

The essential problem is relying on security by obscurity, "I have user 
accounts (nss) that have publicly available credentials but noone [sic] 
should be able to see how the database really is organized".


   



Denying the security through obscurity is not applicable could be incorrect.
It does have it's place i.e. what's your root password?

In WebAppSec, security by obscurity assists in deterring attackers, and
buying some time. So if one can prevent full disclosure of the schema of the
db, that can be useful combined with security in depth.

my two cents.

-Lance

 


-----Burton

-----Original Message-----
From: Bernd Wurst [mailto:bernd@bwurst.org]
Sent: Friday, January 20, 2006 6:05 AM
To: bugtraq@securityfocus.com
Subject: MySQL 5.0 information leak?

Hi.

I just upgraded to mysql 5.0.18 and started using all those cool new 
features. :)

But concerning VIEWs, I think the information_schema is too verbose to 
the user. I started creating a VIEW that searches information from 
several tables, mangles the data and gives the user a clean table with 
his data. So far, so good.

But I only give the user access to this VIEW, so he cannot see what's 
done to get his data from several tables.

SHOW CREATE VIEW myview;
does (correctly) result in an error that the user is not allowed to see 
the CREATE VIEW.

But SELECT * FROM information_schema.views; returns the full query that 
ceates the desired VIEW.

I think of this as a security issue because I have user accounts (nss) 
that have publicly available credentials but noone should be able to 
see how the database really is organized.

What do you think of this? Bug?

cu, Bernd

--
Windows Error 019: User error. It's not our fault. Is not! Is not!
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  [eVuln] "my little homepage" products [link] BBCode XSS Vulnerability, alex
Next by Date:  Buffer Overflow /Font on mIRC, Crowdat Kurobudetsu
Previous by Thread:  Re: MySQL 5.0 information leak?, Stephen Frost
Next by Thread:  RE: MySQL 5.0 information leak?, Burton Strauss
Indexes:  [Date] [Thread] [Top] [All Lists]