>Description:
Granting a normal user FILE privilege will be listed as DROP
and user has both FILE and DROP privileges.
>How-To-Repeat:
mysql -u root -p
CREATE DATABASE TEST1;
USE TEST1;
CREATE TABLE TESTING (COL1 CHAR(3) );
GRANT INSERT,SELECT,FILE ON TEST1.* TO user1@localhost IDENTIFIED BY 'hidden'
FLUSH PRIVILEGES;
SHOW GRANTS FOR www@localhost;
[ table will show privileges INSERT,SELECT,DROP for user www@localhost. ]
exit
mysql -u user1 -p
USE TEST1;
INSERT INTO TESTING SET COL1='ABC';
[ works ]
LOAD DATA LOCAL INFILE 'some_file' INTO TABLE TESTING;
[ works only with 'LOCAL' ]
DROP TABLE TESTING;
[ !!! this also works ]
>Fix:
Unknown.
>Submitter-Id: Andrei Boros
>Originator: Andrei Boros
>Organization:
Romanian Radio Broadcasting Corporation
>MySQL support: [none]
>Synopsis: FILE privilege security hole.
>Severity:
>Priority:
>Category: mysql
>Class:
>Release: mysql-3.23.32 (Source distribution) no BDB.
>Environment:
Intel Pentium 3/500MHz 128MB, 2xSCSI hdd adaptec SCSI ctrl.
Slackware Linux 7.0 + all official patches from slackware.com
Kernel 2.2.17
glibc 2.1.3
System: Linux www 2.2.17 #9 Mon Jun 18 12:24:45 EEST 2001 i686 unknown
Architecture: i686
Some paths: /usr/bin/perl /usr/bin/make /usr/bin/gmake /usr/bin/gcc /usr/bin/cc
GCC: Reading specs from /usr/lib/gcc-lib/i386-slackware-linux/egcs-2.91.66/specs
gcc version egcs-2.91.66 19990314/Linux (egcs-1.1.2 release)
Compilation info: CC='gcc' CFLAGS='' CXX='c++' CXXFLAGS='' LDFLAGS=''
LIBC:
lrwxrwxrwx 1 root root 13 Mar 1 13:29 /lib/libc.so.6 -> libc-2.1.3.so
-rwxr-xr-x 1 root root 1008844 Sep 10 1999 /lib/libc-2.1.2.so
-rwxr-xr-x 1 root root 1014632 Sep 5 2000 /lib/libc-2.1.3.so
-rw-r--r-- 1 root root 20266642 Mar 20 2000 /usr/lib/libc.a
-rw-r--r-- 1 root root 178 Mar 20 2000 /usr/lib/libc.so
Configure command: ./configure --prefix=/usr/local/mysql --without-debug
--enable-thread-safe-client --with-mysqld-user=mysql
Perl: This is perl, version 5.005_03 built for i386-linux
---------------------------------------------------------------------
Before posting, please check:
http://www.mysql.com/manual.php (the manual)
http://lists.mysql.com/ (the list archive)
To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php