security vulnerability
Description: Any user in mysql can create as many databases as he wants. Create a user with 1 database, and let him create database with name my_data_base. Log into mysql console as user and run command: CREATE DATABASE my?data?base; New database will be created and user can create tables and use it as normal database. You can also create my?data_base, my_data?base, or try to use *,$, #, a-z, A-Z and other symbols instead of underlines _ ... I've just tried to log into MySQL console as usual non-privileged user with N,N,N,N... permissions in mysql.user and tried to create some base with another names -- no permissons error. However I COULD create 5 databases with names similar to my_data_base... I can operate them (as this user) without problems. Seems like huge hole in our MySQL (or MySQL at all). How-To-Repeat: Fix: Submitter-Id: submitter ID Originator: Organization: Plesk Inc, MySQL support: [none | licence | email support | extended email support ] Synopsis: Any user in mysql can create as many databases as he wants. Severity: critical Priority: high Category: mysql Class: Release:mysql-3.23.46 (Source distribution) Environment: System: Linux abe.plesk.ru 2.4.7-10 #1 Thu Sep 6 17:27:27 EDT 2001 i686 unknown Architecture: i686 Some paths: /usr/bin/perl /usr/bin/make /usr/bin/gmake /usr/bin/gcc /usr/bin/cc GCC: Reading specs from /usr/lib/gcc-lib/i386-redhat-linux/2.96/specs gcc version 2.96 2731 (Red Hat Linux 7.1 2.96-98) Compilation info: CC='gcc' CFLAGS='-O2 -march=i386 -mcpu=i586 -fPIC' CXX='c++' CXXFLAGS=' -O2 -march=i386 -mcpu=i586 -fPIC' LDFLAGS='' LIBC: lrwxrwxrwx1 root root 13 áÐÒ 18 21:36 /lib/libc.so.6 - libc-2.2.4.so -rwxr-xr-x1 root root 1282588 óÅÎ 5 2001 /lib/libc-2.2.4.so -rw-r--r--1 root root 27304836 óÅÎ 5 2001 /usr/lib/libc.a -rw-r--r--1 root root 178 óÅÎ 5 2001 /usr/lib/libc.so lrwxrwxrwx1 root root 10 éÀÌ 23 23:58 /usr/lib/libc-client.a - c-client.a Configure command: ./configure --without-x --disable-assembler --disable-shared --enable-large-files --without-perl --without-debug --without-bench --without-docs --with-readline --with-mysqld-user=mysql --with-low-memory --prefix=/usr/local/psa/mysql --with-named-curses-libs=/usr/lib/libncurses.a --with-named-z-libs=/usr/lib/libz.a - Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail [EMAIL PROTECTED] To unsubscribe, e-mail [EMAIL PROTECTED] Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
Re: Security vulnerability
Hi! On Oct 01, Plesk Support wrote: Any user in mysql can create as many databases as he wants. Create a user with 1 database, and let him create database with name my_data_base. Log into mysql console as user and run command: CREATE DATABASE my?data?base; New database will be created and user can create tables and use it as normal database. You can also create my?data_base, my_data?base, or try to use *,$, #, a-z, A-Z and other symbols instead of underlines _ ... I've just tried to log into MySQL console as usual non-privileged user with N,N,N,N... permissions in mysql.user and tried to create some base with another names -- no permissons error. However I COULD create 5 databases with names similar to my_data_base... I can operate them (as this user) without problems. Seems like huge hole in our MySQL (or MySQL at all). No, it is not. As noted in the manual (Access Control, Stage 2: Request Verification section), mysql.db and mysql.host tables accept wildcards in Db and Host fields of either table. We will add a note to GRANT section to make it more clear, thank you for the hint. Regards, Sergei -- MySQL Development Team __ ___ ___ __ / |/ /_ __/ __/ __ \/ / Sergei Golubchik [EMAIL PROTECTED] / /|_/ / // /\ \/ /_/ / /__ MySQL AB, http://www.mysql.com/ /_/ /_/\_, /___/\___\_\___/ Osnabrueck, Germany ___/ - Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail [EMAIL PROTECTED] To unsubscribe, e-mail [EMAIL PROTECTED] Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php