GRANT FILE privilege SECURITY hole

Thu, 12 Jul 2001 05:09:56 -0700 

>Description:
        Granting a normal user FILE privilege will be listed as DROP
and user has both FILE and DROP privileges.

>How-To-Repeat:
        mysql -u root -p

        CREATE DATABASE TEST1;
        USE TEST1;
        CREATE TABLE TESTING (COL1 CHAR(3) );
        GRANT INSERT,SELECT,FILE ON TEST1.* TO user1@localhost IDENTIFIED BY 'hidden'
        FLUSH PRIVILEGES;
        SHOW GRANTS FOR www@localhost;
        
[ table will show privileges INSERT,SELECT,DROP for user www@localhost. ]
        
        exit

        mysql -u user1 -p
        USE TEST1;
        INSERT INTO TESTING SET COL1='ABC';
[ works ]
        LOAD DATA LOCAL INFILE 'some_file' INTO TABLE TESTING;
[ works only with 'LOCAL' ]
        DROP TABLE TESTING;
[ !!! this also works ]

>Fix:
        Unknown.

>Submitter-Id:  Andrei Boros
>Originator:    Andrei Boros
>Organization: 
 Romanian Radio Broadcasting Corporation
>MySQL support: [none]
>Synopsis:      FILE privilege security hole.
>Severity:      
>Priority:      
>Category:      mysql
>Class:         
>Release:       mysql-3.23.32 (Source distribution) no BDB.

>Environment:
        Intel Pentium 3/500MHz 128MB, 2xSCSI hdd adaptec SCSI ctrl.
        Slackware Linux 7.0 + all official patches from slackware.com
        Kernel 2.2.17
        glibc 2.1.3
System: Linux www 2.2.17 #9 Mon Jun 18 12:24:45 EEST 2001 i686 unknown
Architecture: i686

Some paths:  /usr/bin/perl /usr/bin/make /usr/bin/gmake /usr/bin/gcc /usr/bin/cc
GCC: Reading specs from /usr/lib/gcc-lib/i386-slackware-linux/egcs-2.91.66/specs
gcc version egcs-2.91.66 19990314/Linux (egcs-1.1.2 release)
Compilation info: CC='gcc'  CFLAGS=''  CXX='c++'  CXXFLAGS=''  LDFLAGS=''
LIBC: 
lrwxrwxrwx   1 root     root           13 Mar  1 13:29 /lib/libc.so.6 -> libc-2.1.3.so
-rwxr-xr-x   1 root     root      1008844 Sep 10  1999 /lib/libc-2.1.2.so
-rwxr-xr-x   1 root     root      1014632 Sep  5  2000 /lib/libc-2.1.3.so
-rw-r--r--   1 root     root     20266642 Mar 20  2000 /usr/lib/libc.a
-rw-r--r--   1 root     root          178 Mar 20  2000 /usr/lib/libc.so
Configure command: ./configure  --prefix=/usr/local/mysql --without-debug 
--enable-thread-safe-client --with-mysqld-user=mysql
Perl: This is perl, version 5.005_03 built for i386-linux

---------------------------------------------------------------------
Before posting, please check:
   http://www.mysql.com/manual.php   (the manual)
   http://lists.mysql.com/           (the list archive)

To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php

Reply via email to