>Description:
Whenever you create a database with an underscore in it and give
a user rights to it, he is able to create other databases with
whatever charater in place of the underscore.
>How-To-Repeat:
create database aa_bb;
grant all privileges on aa_bb.* to aa@localhost identified by 'bb';
Login as the user aa and:
create database aaabb;
Dutch forum thread with more examples:
http://gathering.tweakers.net/showtopic.php/319314/1/100
>Fix:
Avoid using databases with an _ (underscore) in it
>Submitter-Id: [EMAIL PROTECTED]
>Originator: F. Kooman
>Organization:
>MySQL support: none
>Synopsis: mysql database creation security problem
>Severity: serious
>Priority: medium
>Category: mysql
>Class: sw-bug
>Release: mysql-3.23.44 (Source distribution)
>Environment:
System: Linux uranium 2.2.20 #2 Mon Nov 5 10:20:59 CET 2001 i686 unknown
Architecture: i686
Some paths: /usr/local/bin/perl /usr/bin/make /usr/bin/gmake /usr/bin/gcc /usr/bin/cc
GCC: Reading specs from /usr/lib/gcc-lib/i386-slackware-linux/2.95.2/specs
gcc version 2.95.2 19991024 (release)
Compilation info: CC='gcc' CFLAGS='' CXX='c++' CXXFLAGS='' LDFLAGS=''
LIBC:
lrwxrwxrwx 1 root root 11 Dec 18 2000 /lib/libc.so.6 -> libc-2.2.so
-rwxr-xr-x 1 root root 4808643 Nov 20 2000 /lib/libc-2.2.so
-rw-r--r-- 1 root root 24076056 Nov 20 2000 /usr/lib/libc.a
-rw-r--r-- 1 root root 178 Nov 20 2000 /usr/lib/libc.so
Configure command: ./configure --prefix=/usr/local/mysql
---------------------------------------------------------------------
Before posting, please check:
http://www.mysql.com/manual.php (the manual)
http://lists.mysql.com/ (the list archive)
To request this thread, e-mail <[EMAIL PROTECTED]>
To unsubscribe, e-mail <[EMAIL PROTECTED]>
Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
