Re: MySQL 5.0 information leak?
Nobody has mentioned this yet, so maybe I should. Accpording to the MySQL documentation the infromation schema is database and there is no suggestion that the access controls do not work. You should be able to determine who has what access to the information schema using standard grant and revoke commands. I know my database using code has no need for the information schema, because the queries and types of the results are both fixed in advance, albeit with some limited variable portions. The obvious tools not working, due to lack of access to the database schema, might slow down some crackers by a worthwhile amount. The original poster might be well serverd by a program that does predetermined queries, using a restricted identity for extra security, and keeps the connection detials to itself. (I do not think obscuring the database structure is worth much except as one of a wider set of security measures.) --k0QLwNOi013478.1138312704/mail.simpson.demon.co.uk Content-Type: text/plain Duncan (-: "software industry, the: unique industry where selling substandard goods is legal and you can charge extra for fixing the problems."
RE: MySQL 5.0 information leak?
It's not semantics at all. Every password is a piece of undisclosed information and NOBODY views that as security by obscurity. It's the corner stone of AAA ... Something you know, something you have, something about you. -Burton -Original Message- From: Lance James [mailto:[EMAIL PROTECTED] Sent: Sunday, January 22, 2006 10:48 AM To: Burton Strauss Cc: 'Bernd Wurst'; bugtraq@securityfocus.com Subject: Re: MySQL 5.0 information leak? Burton Strauss wrote: >I'd get a refund on your coinage... root's password is not security by >obscurity, it is an undisclosed piece of information. There is a big >difference. > > Now we're arguing symantics, undislosed information would also by the MySQL information leak problem then too, as Bernd doesn't want to disclose such information to an attacker. >-Burton > >-Original Message- >From: Lance James [mailto:[EMAIL PROTECTED] >Sent: Saturday, January 21, 2006 2:09 PM >To: Burton Strauss >Cc: 'Bernd Wurst'; bugtraq@securityfocus.com >Subject: Re: MySQL 5.0 information leak? > >Burton Strauss wrote: > > > >>Traditionally the schema for a database is NOT secure information. >>Applications download this information to build queries on the fly. >> >>The essential problem is relying on security by obscurity, "I have >>user accounts (nss) that have publicly available credentials but noone >>[sic] should be able to see how the database really is organized". >> >> >> >> > >Denying the security through obscurity is not applicable could be incorrect. >It does have it's place i.e. what's your root password? > >In WebAppSec, security by obscurity assists in deterring attackers, and >buying some time. So if one can prevent full disclosure of the schema >of the db, that can be useful combined with security in depth. > >my two cents. > >-Lance > > > >>-Burton >> >>-Original Message- >>From: Bernd Wurst [mailto:[EMAIL PROTECTED] >>Sent: Friday, January 20, 2006 6:05 AM >>To: bugtraq@securityfocus.com >>Subject: MySQL 5.0 information leak? >> >>Hi. >> >>I just upgraded to mysql 5.0.18 and started using all those cool new >>features. :) >> >>But concerning VIEWs, I think the information_schema is too verbose to >>the user. I started creating a VIEW that searches information from >>several tables, mangles the data and gives the user a clean table with >>his data. So far, so good. >> >>But I only give the user access to this VIEW, so he cannot see what's >>done to get his data from several tables. >> >>SHOW CREATE VIEW myview; >>does (correctly) result in an error that the user is not allowed to >>see the CREATE VIEW. >> >>But SELECT * FROM information_schema.views; returns the full query >>that ceates the desired VIEW. >> >>I think of this as a security issue because I have user accounts (nss) >>that have publicly available credentials but noone should be able to >>see how the database really is organized. >> >>What do you think of this? Bug? >> >>cu, Bernd >> >>-- >>Windows Error 019: User error. It's not our fault. Is not! Is not! >> >> >> >> >> >> > > > >
Re: MySQL 5.0 information leak?
Burton Strauss wrote: >Traditionally the schema for a database is NOT secure information. >Applications download this information to build queries on the fly. > >The essential problem is relying on security by obscurity, "I have user >accounts (nss) that have publicly available credentials but noone [sic] >should be able to see how the database really is organized". > > I don't agree - basic security says that no user should have more access than he strictly needs. A user that only uses a fixed set of queries doesn't need to see how the database is laid out - if he can, an attacker wouldn't need to guess the names of other fields that may contain sensitive information. Obviously those fields should be access-restricted as well, but you shouldn't make things easier on any front. -- You prefer the company of the opposite sex, but are well liked by your own. -- Public GPG key at blackhole.pca.dfn.de GCS/IT d- s:+ a- C(+++)$ UL$ P+++()$ L++(+++)$ !E- W+(+++)$ N+(++) o K w$ !O !M V PS(++)@ PE-(++)@ Y+ PGP++(+++) t(+) 5 X R tv-- b++() DI++() D++ G e++>+ h(+) r y+** signature.asc Description: OpenPGP digital signature
Re: MySQL 5.0 information leak?
Burton Strauss wrote: >I'd get a refund on your coinage... root's password is not security by >obscurity, it is an undisclosed piece of information. There is a big >difference. > > Now we're arguing symantics, undislosed information would also by the MySQL information leak problem then too, as Bernd doesn't want to disclose such information to an attacker. >-Burton > >-Original Message- >From: Lance James [mailto:[EMAIL PROTECTED] >Sent: Saturday, January 21, 2006 2:09 PM >To: Burton Strauss >Cc: 'Bernd Wurst'; bugtraq@securityfocus.com >Subject: Re: MySQL 5.0 information leak? > >Burton Strauss wrote: > > > >>Traditionally the schema for a database is NOT secure information. >>Applications download this information to build queries on the fly. >> >>The essential problem is relying on security by obscurity, "I have user >>accounts (nss) that have publicly available credentials but noone [sic] >>should be able to see how the database really is organized". >> >> >> >> > >Denying the security through obscurity is not applicable could be incorrect. >It does have it's place i.e. what's your root password? > >In WebAppSec, security by obscurity assists in deterring attackers, and >buying some time. So if one can prevent full disclosure of the schema of the >db, that can be useful combined with security in depth. > >my two cents. > >-Lance > > > >>-Burton >> >>-Original Message- >>From: Bernd Wurst [mailto:[EMAIL PROTECTED] >>Sent: Friday, January 20, 2006 6:05 AM >>To: bugtraq@securityfocus.com >>Subject: MySQL 5.0 information leak? >> >>Hi. >> >>I just upgraded to mysql 5.0.18 and started using all those cool new >>features. :) >> >>But concerning VIEWs, I think the information_schema is too verbose to >>the user. I started creating a VIEW that searches information from >>several tables, mangles the data and gives the user a clean table with >>his data. So far, so good. >> >>But I only give the user access to this VIEW, so he cannot see what's >>done to get his data from several tables. >> >>SHOW CREATE VIEW myview; >>does (correctly) result in an error that the user is not allowed to see >>the CREATE VIEW. >> >>But SELECT * FROM information_schema.views; returns the full query that >>ceates the desired VIEW. >> >>I think of this as a security issue because I have user accounts (nss) >>that have publicly available credentials but noone should be able to >>see how the database really is organized. >> >>What do you think of this? Bug? >> >>cu, Bernd >> >>-- >>Windows Error 019: User error. It's not our fault. Is not! Is not! >> >> >> >> >> >> > > > >
Re: MySQL 5.0 information leak?
* Bernd Wurst ([EMAIL PROTECTED]) wrote: > I think of this as a security issue because I have user accounts (nss) > that have publicly available credentials but noone should be able to > see how the database really is organized. > > What do you think of this? Bug? Probably not but the answer you seek is in the SQL specification. Information Schema is defined there and it also defines what is allowed to be seen and by whom. Wanting to hide the database layout from the users of the database in this way seems quite... confused. Thanks, Stephen signature.asc Description: Digital signature
RE: MySQL 5.0 information leak?
Traditionally the schema for a database is NOT secure information. Applications download this information to build queries on the fly. The essential problem is relying on security by obscurity, "I have user accounts (nss) that have publicly available credentials but noone [sic] should be able to see how the database really is organized". -Burton -Original Message- From: Bernd Wurst [mailto:[EMAIL PROTECTED] Sent: Friday, January 20, 2006 6:05 AM To: bugtraq@securityfocus.com Subject: MySQL 5.0 information leak? Hi. I just upgraded to mysql 5.0.18 and started using all those cool new features. :) But concerning VIEWs, I think the information_schema is too verbose to the user. I started creating a VIEW that searches information from several tables, mangles the data and gives the user a clean table with his data. So far, so good. But I only give the user access to this VIEW, so he cannot see what's done to get his data from several tables. SHOW CREATE VIEW myview; does (correctly) result in an error that the user is not allowed to see the CREATE VIEW. But SELECT * FROM information_schema.views; returns the full query that ceates the desired VIEW. I think of this as a security issue because I have user accounts (nss) that have publicly available credentials but noone should be able to see how the database really is organized. What do you think of this? Bug? cu, Bernd -- Windows Error 019: User error. It's not our fault. Is not! Is not!