>Description: Whenever you create a database with an underscore in it and give a user rights to it, he is able to create other databases with whatever charater in place of the underscore. >How-To-Repeat:
create database aa_bb; grant all privileges on aa_bb.* to aa@localhost identified by 'bb'; Login as the user aa and: create database aaabb; Dutch forum thread with more examples: http://gathering.tweakers.net/showtopic.php/319314/1/100 >Fix: Avoid using databases with an _ (underscore) in it >Submitter-Id: [EMAIL PROTECTED] >Originator: F. Kooman >Organization: >MySQL support: none >Synopsis: mysql database creation security problem >Severity: serious >Priority: medium >Category: mysql >Class: sw-bug >Release: mysql-3.23.44 (Source distribution) >Environment: System: Linux uranium 2.2.20 #2 Mon Nov 5 10:20:59 CET 2001 i686 unknown Architecture: i686 Some paths: /usr/local/bin/perl /usr/bin/make /usr/bin/gmake /usr/bin/gcc /usr/bin/cc GCC: Reading specs from /usr/lib/gcc-lib/i386-slackware-linux/2.95.2/specs gcc version 2.95.2 19991024 (release) Compilation info: CC='gcc' CFLAGS='' CXX='c++' CXXFLAGS='' LDFLAGS='' LIBC: lrwxrwxrwx 1 root root 11 Dec 18 2000 /lib/libc.so.6 -> libc-2.2.so -rwxr-xr-x 1 root root 4808643 Nov 20 2000 /lib/libc-2.2.so -rw-r--r-- 1 root root 24076056 Nov 20 2000 /usr/lib/libc.a -rw-r--r-- 1 root root 178 Nov 20 2000 /usr/lib/libc.so Configure command: ./configure --prefix=/usr/local/mysql --------------------------------------------------------------------- Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail <[EMAIL PROTECTED]> To unsubscribe, e-mail <[EMAIL PROTECTED]> Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php