Serious exploit concerning privilege system

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

We have discovered a, from my point of view, serious exploit in the MySQL
privilege system: If a user with empty attributes 'User' and 'Db' exists =
both
in the table 'mysql.db' and 'mysql.user' any user created on that MySQL
server is capable of accessing all databases with the privileges granted =
to
the user with the empty username, although he is usually supposed to only
have limited privileges for a single database.

How-To-Repeat:
Insert a line with empty attribute 'User' into 'mysql.user' and a line wi=
th=20
empty attributes 'User' and 'Db' into 'mysql.db' granting full privileges=
=20
here, afterwards log in using any user on that system usually having=20
restricted privileges and you will, despite of privileges meant to be=20
limited, have full access to all databases.

- --
Bjoern Wilmsmann - Systemprogrammierer
gamigo=AE AG
Butterstr. 13
48431 Rheine
Tel. +49 5971-899060
Fax +49 5971-8990611
- - ---------------------------------------
Diese E-Mail enthält vertrauliche und / oder rechtlich geschützte
Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mai=
l
irrtümlich erhalten haben, informieren Sie bitte sofort den Absender un=
d
vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte
Weitergabe dieser Mail ist nicht gestattet.

This e-mail may contain confidential and/or privileged information. If yo=
u
are not the intended recipient (or have received this e-mail in error)
please notify the sender immediately and destroy this e-mail. Any
unauthorised copying, disclosure or distribution of the material in this
e-mail is strictly forbidden.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE9UPMfgz0R1bg11MERAiHBAJ0c5AflWJBE+BG+vcmEpCVkekhbiQCg h09Y
C1En3iyN/XWOiqmTmyp6QZw=3D
=3DoO+6
-----END PGP SIGNATURE-----


------------------------------------------------------------ ---------
Before posting, please check:
http://www.mysql.com/manual.php (the manual)
http://lists.mysql.com/ (the list archive)

To request this thread, e-mail bugs-thread12319@lists.mysql.com
To unsubscribe, e-mail

Re: Serious exploit concerning privilege system

Bjoern Wilmsmann wrote:

>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>We have discovered a, from my point of view, serious exploit in the MySQL
>privilege system: If a user with empty attributes 'User' and 'Db' exists both
>in the table 'mysql.db' and 'mysql.user' any user created on that MySQL
>server is capable of accessing all databases with the privileges granted to
>the user with the empty username, although he is usually supposed to only
>have limited privileges for a single database.
>
>How-To-Repeat:
>Insert a line with empty attribute 'User' into 'mysql.user' and a line with
>empty attributes 'User' and 'Db' into 'mysql.db' granting full privileges
>here, afterwards log in using any user on that system usually having
>restricted privileges and you will, despite of privileges meant to be
>limited, have full access to all databases.
>
>- --
>Bjoern Wilmsmann - Systemprogrammierer
>gamigo® AG
>Butterstr. 13
>48431 Rheine
>Tel. +49 5971-899060
>Fax +49 5971-8990611
>- - ---------------------------------------
>Diese E-Mail enthält vertrauliche und / oder rechtlich geschützte
>Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail
>irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und
>vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte
>Weitergabe dieser Mail ist nicht gestattet.
>
>This e-mail may contain confidential and/or privileged information. If you
>are not the intended recipient (or have received this e-mail in error)
>please notify the sender immediately and destroy this e-mail. Any
>unauthorised copying, disclosure or distribution of the material in this
>e-mail is strictly forbidden.
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.0.6 (GNU/Linux)
>Comment: For info see http://www.gnupg.org
>
>iD8DBQE9UPMfgz0R1bg11MERAiHBAJ0c5AflWJBE+BG+vcmEpCVkekhbiQC gh09Y
>C1En3iyN/XWOiqmTmyp6QZw=
>=oO+6
>-----END PGP SIGNATURE-----
>
>
>----------------------------------------------------------- ----------
>Before posting, please check:
> http://www.mysql.com/manual.php (the manual)
> http://lists.mysql.com/ (the list archive)
>
>To request this thread, e-mail bugs-thread12319@lists.mysql.com
>To unsubscribe, e-mail
>
>
>
>
>
I followed your How-To-Repeat steps but nothing happened; i.e.
restricted users still restricted as they are. They even cannot switch
to other databases. Am I wrong or it is not a bug?
Regards

--
Sameh Attia
Senior System Engineer
T.E. Data
--
__ __ _
_________ _/ /_/ /_(_)___ _
/ ___/ __ `/ __/ __/ / __ `/
(__ ) /_/ / /_/ /_/ / /_/ /
/____/\__,_/\__/\__/_/\__,_/




------------------------------------------------------------ ---------
Before posting, please check:
http://www.mysql.com/manual.php (the manual)
http://lists.mysql.com/ (the list archive)

To request this thread, e-mail bugs-thread12321@lists.mysql.com
To unsubscribe, e-mail

Re: Serious exploit concerning privilege system

On Wednesday 07 August 2002 14:14, Bjoern Wilmsmann wrote:

Dear Bjoern,

We're very concerned about security related issues.
However in order to fix this issue as soon as possible we would need=20
exact bug report from you.

Please specify which MySQL version are you trying=20
and provide full steps which are required to solve the issue.

In your case it would be creating 2 users one empty one and one with=20
all priveleges and rightless one with normal name to simulate the hole.

As soon as we get repeatable bug report we'll try to fix this shortly.


--=20
__ ___ ___ ____ __
/ |/ /_ __/ __/ __ \/ / Mr. Peter Zaitsev
/ /|_/ / // /\ \/ /_/ / /__ MySQL AB, Full-Time Developer
/_/ /_/\_, /___/\___\_\___/ Moscow, Russia
<___/ www.mysql.com M: +7 095 725 4955


------------------------------------------------------------ ---------
Before posting, please check:
http://www.mysql.com/manual.php (the manual)
http://lists.mysql.com/ (the list archive)

To request this thread, e-mail bugs-thread12322@lists.mysql.com
To unsubscribe, e-mail

Re: Serious exploit concerning privilege system

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Am Mittwoch, 7. August 2002 14:29 schrieb Peter Zaitsev:

> As soon as we get repeatable bug report we'll try to fix this shortly.

Ok, here we go:

We use MySQL 4.0.0. alpha

How-To-Repeat:
Execute the following queries:
USE mysql;
INSERT INTO db (Host, Db, User, Select_priv, Insert_priv, Update_priv,
Delete_priv, Create_priv, Drop_priv, Grant_priv, References_priv, Index_p=
riv,
Alter_priv) VALUES ('%', '', '', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y',
'Y', 'Y', 'Y', 'Y')";
INSERT INTO user (Host, User, Password, Select_priv, Insert_priv, Update_=
priv,=20
Delete_priv, Create_priv, Drop_priv, Reload_priv, Shutdown_priv,=20
Process_priv, File_priv, Grant_priv, References_priv, Index_priv, Alter_p=
riv)
VALUES ('%', '', PASSWORD(''), 'N', 'N', 'N', 'N', 'N', 'N', 'N', 'N', 'N=
',=20
'N', 'N', 'N', 'N', 'N')";
INSERT INTO db (Host, Db, User, Select_priv, Insert_priv, Update_priv,
Delete_priv, Create_priv, Drop_priv, Grant_priv, References_priv, Index_p=
riv,
Alter_priv) VALUES ('%', 'testdb', 'testuser', 'Y', 'Y', 'Y', 'Y', 'Y', '=
Y',
'Y', 'Y', 'Y', 'Y')";
INSERT INTO user (Host, User, Password, Select_priv, Insert_priv, Update_=
priv,=20
Delete_priv, Create_priv, Drop_priv, Reload_priv, Shutdown_priv,=20
Process_priv, File_priv, Grant_priv, References_priv, Index_priv, Alter_p=
riv)
VALUES ('%', 'testuser', PASSWORD('testpassword'), 'N', 'N', 'N', 'N', 'N=
',=20
'N', 'N', 'N', 'N', 'N', 'N', 'N', 'N', 'N')";

After having done so, connect to the MySQL-Server with the user 'testuser=
' and=20
you will have full access to all databases existing on that system, thoug=
h=20
'testuser' is supposed to only have access to the database 'testdb'.

- --=20
Bjoern Wilmsmann - Systemprogrammierer
gamigo=AE AG
Butterstr. 13
48431 Rheine
Tel. +49 5971-899060
Fax +49 5971-8990611
- ---------------------------------------
Diese E-Mail enthält vertrauliche und / oder rechtlich geschützte
Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mai=
l
irrtümlich erhalten haben, informieren Sie bitte sofort den Absender un=
d
vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte
Weitergabe dieser Mail ist nicht gestattet.
=20
This e-mail may contain confidential and/or privileged information. If yo=
u
are not the intended recipient (or have received this e-mail in error)
please notify the sender immediately and destroy this e-mail. Any
unauthorised copying, disclosure or distribution of the material in this
e-mail is strictly forbidden.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE9URZigz0R1bg11MERAsMrAKCYcsbbSqc6NNYCs74Pe0T6Uh3lcwCe PJ0l
CnYVGKIIvoORoxPjqMUdvcQ=3D
=3DBt9x
-----END PGP SIGNATURE-----


------------------------------------------------------------ ---------
Before posting, please check:
http://www.mysql.com/manual.php (the manual)
http://lists.mysql.com/ (the list archive)

To request this thread, e-mail bugs-thread12323@lists.mysql.com
To unsubscribe, e-mail

Re: Serious exploit concerning privilege system

Bjoern Wilmsmann wrote:

>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>Am Mittwoch, 7. August 2002 14:29 schrieb Peter Zaitsev:
>
>
>
>>As soon as we get repeatable bug report we'll try to fix this shortly.
>>
>>
>
>Ok, here we go:
>
>We use MySQL 4.0.0. alpha
>
>How-To-Repeat:
>Execute the following queries:
>USE mysql;
>INSERT INTO db (Host, Db, User, Select_priv, Insert_priv, Update_priv,
>Delete_priv, Create_priv, Drop_priv, Grant_priv, References_priv, Index_priv,
>Alter_priv) VALUES ('%', '', '', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y',
>'Y', 'Y', 'Y', 'Y')";
>INSERT INTO user (Host, User, Password, Select_priv, Insert_priv, Update_priv,
>Delete_priv, Create_priv, Drop_priv, Reload_priv, Shutdown_priv,
>Process_priv, File_priv, Grant_priv, References_priv, Index_priv, Alter_priv)
>VALUES ('%', '', PASSWORD(''), 'N', 'N', 'N', 'N', 'N', 'N', 'N', 'N', 'N',
>'N', 'N', 'N', 'N', 'N')";
>INSERT INTO db (Host, Db, User, Select_priv, Insert_priv, Update_priv,
>Delete_priv, Create_priv, Drop_priv, Grant_priv, References_priv, Index_priv,
>Alter_priv) VALUES ('%', 'testdb', 'testuser', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y',
>'Y', 'Y', 'Y', 'Y')";
>INSERT INTO user (Host, User, Password, Select_priv, Insert_priv, Update_priv,
>Delete_priv, Create_priv, Drop_priv, Reload_priv, Shutdown_priv,
>Process_priv, File_priv, Grant_priv, References_priv, Index_priv, Alter_priv)
>VALUES ('%', 'testuser', PASSWORD('testpassword'), 'N', 'N', 'N', 'N', 'N',
>'N', 'N', 'N', 'N', 'N', 'N', 'N', 'N', 'N')";
>
>After having done so, connect to the MySQL-Server with the user 'testuser' and
>you will have full access to all databases existing on that system, though
>'testuser' is supposed to only have access to the database 'testdb'.
>
>- --
>Bjoern Wilmsmann - Systemprogrammierer
>gamigo® AG
>Butterstr. 13
>48431 Rheine
>Tel. +49 5971-899060
>Fax +49 5971-8990611
>- ---------------------------------------
>Diese E-Mail enthält vertrauliche und / oder rechtlich geschützte
>Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail
>irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und
>vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte
>Weitergabe dieser Mail ist nicht gestattet.
>
>This e-mail may contain confidential and/or privileged information. If you
>are not the intended recipient (or have received this e-mail in error)
>please notify the sender immediately and destroy this e-mail. Any
>unauthorised copying, disclosure or distribution of the material in this
>e-mail is strictly forbidden.
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.0.6 (GNU/Linux)
>Comment: For info see http://www.gnupg.org
>
>iD8DBQE9URZigz0R1bg11MERAsMrAKCYcsbbSqc6NNYCs74Pe0T6Uh3lcwC ePJ0l
>CnYVGKIIvoORoxPjqMUdvcQ=
>=Bt9x
>-----END PGP SIGNATURE-----
>
>
>----------------------------------------------------------- ----------
>Before posting, please check:
> http://www.mysql.com/manual.php (the manual)
> http://lists.mysql.com/ (the list archive)
>
>To request this thread, e-mail bugs-thread12323@lists.mysql.com
>To unsubscribe, e-mail
>
>
>
>
>
Is it applicable to MySQL 3.23.x? I have 51 and it did not work also. I
mean no exploits.
Regards

--
Sameh Attia
Senior System Engineer
T.E. Data
--
__ __ _
_________ _/ /_/ /_(_)___ _
/ ___/ __ `/ __/ __/ / __ `/
(__ ) /_/ / /_/ /_/ / /_/ /
/____/\__,_/\__/\__/_/\__,_/




------------------------------------------------------------ ---------
Before posting, please check:
http://www.mysql.com/manual.php (the manual)
http://lists.mysql.com/ (the list archive)

To request this thread, e-mail bugs-thread12324@lists.mysql.com
To unsubscribe, e-mail

Re: Serious exploit concerning privilege system

Bjoern Wilmsmann writes:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>=20
> Am Mittwoch, 7. August 2002 14:29 schrieb Peter Zaitsev:
>=20
> > As soon as we get repeatable bug report we'll try to fix this short=
ly.
>=20
> Ok, here we go:
>=20
> We use MySQL 4.0.0. alpha
>=20
> How-To-Repeat:
> Execute the following queries:
> USE mysql;
> INSERT INTO db (Host, Db, User, Select_priv, Insert_priv, Update_priv=
,
> Delete_priv, Create_priv, Drop_priv, Grant_priv, References_priv, Ind=
ex_priv,
> Alter_priv) VALUES ('%', '', '', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y',
> 'Y', 'Y', 'Y', 'Y')";
> INSERT INTO user (Host, User, Password, Select_priv, Insert_priv, Upd=
ate_priv,=20
> Delete_priv, Create_priv, Drop_priv, Reload_priv, Shutdown_priv,=20
> Process_priv, File_priv, Grant_priv, References_priv, Index_priv, Alt=
er_priv)
> VALUES ('%', '', PASSWORD(''), 'N', 'N', 'N', 'N', 'N', 'N', 'N', 'N'=
, 'N',=20
> 'N', 'N', 'N', 'N', 'N')";
> INSERT INTO db (Host, Db, User, Select_priv, Insert_priv, Update_priv=
,
> Delete_priv, Create_priv, Drop_priv, Grant_priv, References_priv, Ind=
ex_priv,
> Alter_priv) VALUES ('%', 'testdb', 'testuser', 'Y', 'Y', 'Y', 'Y', 'Y=
', 'Y',
> 'Y', 'Y', 'Y', 'Y')";
> INSERT INTO user (Host, User, Password, Select_priv, Insert_priv, Upd=
ate_priv,=20
> Delete_priv, Create_priv, Drop_priv, Reload_priv, Shutdown_priv,=20
> Process_priv, File_priv, Grant_priv, References_priv, Index_priv, Alt=
er_priv)
> VALUES ('%', 'testuser', PASSWORD('testpassword'), 'N', 'N', 'N', 'N'=
, 'N',=20
> 'N', 'N', 'N', 'N', 'N', 'N', 'N', 'N', 'N')";
>=20
> After having done so, connect to the MySQL-Server with the user 'test=
user' and=20
> you will have full access to all databases existing on that system, t=
hough=20
> 'testuser' is supposed to only have access to the database 'testdb'.
>=20
> - --=20
> Bjoern Wilmsmann - Systemprogrammierer
> gamigo=AE AG
> Butterstr. 13
> 48431 Rheine
> Tel. +49 5971-899060
> Fax +49 5971-8990611

Thanks for your test case, which I will test today.

In principle, we discourage meddling directly with privilege
tables. We recommend using GRANT / REVOKE insted.


--=20
Regards,
__ ___ ___ ____ __
/ |/ /_ __/ __/ __ \/ / Mr. Sinisa Milivojevic >
/ /|_/ / // /\ \/ /_/ / /__ MySQL AB, Fulltime Developer
/_/ /_/\_, /___/\___\_\___/ Larnaca, Cyprus
<___/ www.mysql.com


------------------------------------------------------------ ---------
Before posting, please check:
http://www.mysql.com/manual.php (the manual)
http://lists.mysql.com/ (the list archive)

To request this thread, e-mail bugs-thread12327@lists.mysql.com
To unsubscribe, e-mail

Re: Serious exploit concerning privilege system

On Wednesday 07 August 2002 16:45, Bjoern Wilmsmann wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Am Mittwoch, 7. August 2002 14:29 schrieb Peter Zaitsev:
> > As soon as we get repeatable bug report we'll try to fix this shortly=

>

Thank your for your test case. It still works with 4.0.3pre tree
I teste it. So we will try to fix this shortly.



--=20
__ ___ ___ ____ __
/ |/ /_ __/ __/ __ \/ / Mr. Peter Zaitsev
/ /|_/ / // /\ \/ /_/ / /__ MySQL AB, Full-Time Developer
/_/ /_/\_, /___/\___\_\___/ Moscow, Russia
<___/ www.mysql.com M: +7 095 725 4955


------------------------------------------------------------ ---------
Before posting, please check:
http://www.mysql.com/manual.php (the manual)
http://lists.mysql.com/ (the list archive)

To request this thread, e-mail bugs-thread12328@lists.mysql.com
To unsubscribe, e-mail

Re: Serious exploit concerning privilege system

Bjoern Wilmsmann writes:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Am Mittwoch, 7. August 2002 14:29 schrieb Peter Zaitsev:
>
> > As soon as we get repeatable bug report we'll try to fix this shortly.
>
> Ok, here we go:
>
[skip]

Hi!

Thank you for your test case which displayed one flaw in our privilege
system, most notably in the database hash.

Fix will come in 3.23.52 and 4.0.3. This is a patch:

===== sql/sql_acl.cc 1.37 vs edited =====
*** /tmp/sql_acl.cc-1.37-13429 Sat Aug 3 17:21:21 2002
--- edited/sql/sql_acl.cc Wed Aug 7 21:41:44 2002
***************
*** 242,247 ****
--- 242,249 ----
ACL_DB db;
update_hostname(&db.host,get_field(&mem, table,0));
db.db=get_field(&mem, table,1);
+ if (!db.db || !db.db[0])
+ continue;
db.user=get_field(&mem, table,2);
db.access=get_access(table,3);
db.access=fix_rights_for_db(db.access);


--
Regards,
__ ___ ___ ____ __
/ |/ /_ __/ __/ __ \/ / Mr. Sinisa Milivojevic
/ /|_/ / // /\ \/ /_/ / /__ MySQL AB, Fulltime Developer
/_/ /_/\_, /___/\___\_\___/ Larnaca, Cyprus
<___/ www.mysql.com


------------------------------------------------------------ ---------
Before posting, please check:
http://www.mysql.com/manual.php (the manual)
http://lists.mysql.com/ (the list archive)

To request this thread, e-mail bugs-thread12330@lists.mysql.com
To unsubscribe, e-mail

Re: Serious exploit concerning privilege system

Sameh Attia writes:
> Bjoern Wilmsmann wrote:
>=20
> >-----BEGIN PGP SIGNED MESSAGE-----
> >Hash: SHA1
> >
> >We have discovered a, from my point of view, serious exploit in the =
MySQL
> >privilege system: If a user with empty attributes 'User' and 'Db' ex=
ists both
> >in the table 'mysql.db' and 'mysql.user' any user created on that My=
SQL
> >server is capable of accessing all databases with the privileges gra=
nted to
> >the user with the empty username, although he is usually supposed to=
only
> >have limited privileges for a single database.
> >
> >How-To-Repeat:
> >Insert a line with empty attribute 'User' into 'mysql.user' and a li=
ne with=20
> >empty attributes 'User' and 'Db' into 'mysql.db' granting full privi=
leges=20
> >here, afterwards log in using any user on that system usually having=
=20
> >restricted privileges and you will, despite of privileges meant to b=
e=20
> >limited, have full access to all databases.
> >
> >- --
> >Bjoern Wilmsmann - Systemprogrammierer
> >gamigo=AE AG
> >Butterstr. 13
> >48431 Rheine
> >Tel. +49 5971-899060
> >Fax +49 5971-8990611
> > =20
> >
> I followed your How-To-Repeat steps but nothing happened; i.e.=20
> restricted users still restricted as they are. They even cannot switc=
h=20
> to other databases. Am I wrong or it is not a bug?
> Regards
>=20
> --=20
> Sameh Attia
> Senior System Engineer
> T.E. Data
> --

Hi!

This bug was fixed today and releases 3.23.52 and 4.0.3 will come with
this fix.

This is a patch:

=====3D sql/sql_acl.cc 1.37 vs edited =====3D
*** /tmp/sql_acl.cc-1.37-13429=09Sat Aug 3 17:21:21 2002
--- edited/sql/sql_acl.cc=09Wed Aug 7 21:41:44 2002
***************
*** 242,247 ****
--- 242,249 ----
ACL_DB db;
update_hostname(&db.host,get_field(&mem, table,0));
db.db=3Dget_field(&mem, table,1);
+ if (!db.db || !db.db[0])
+ continue;
db.user=3Dget_field(&mem, table,2);
db.access=3Dget_access(table,3);
db.access=3Dfix_rights_for_db(db.access);


--=20
Regards,
__ ___ ___ ____ __
/ |/ /_ __/ __/ __ \/ / Mr. Sinisa Milivojevic >
/ /|_/ / // /\ \/ /_/ / /__ MySQL AB, Fulltime Developer
/_/ /_/\_, /___/\___\_\___/ Larnaca, Cyprus
<___/ www.mysql.com


------------------------------------------------------------ ---------
Before posting, please check:
http://www.mysql.com/manual.php (the manual)
http://lists.mysql.com/ (the list archive)

To request this thread, e-mail bugs-thread12331@lists.mysql.com
To unsubscribe, e-mail

Re: Serious exploit concerning privilege system

> Or did I miss something?

The aspect you missed is that every user has the privileges of that "blank"
user, since blank space indeed seems to work as a wildcard, thus, if for
instance something goes wrong while inserting new users into the database
named 'mysql' (as it has happened on our system) suddenly every user may
have global rights.

--
Bjoern Wilmsmann - Systemprogrammierer
gamigo AG
Butterstr. 13
48431 Rheine
Tel. +49 5971-899060
Fax +49 5971-8990611
Email: bjoern@gamigo.de
---------------------------------------
Diese E-Mail enthält vertrauliche und / oder rechtlich geschützte
Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail
irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und
vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte
Weitergabe dieser Mail ist nicht gestattet.

This e-mail may contain confidential and/or privileged information. If you
are not the intended recipient (or have received this e-mail in error)
please notify the sender immediately and destroy this e-mail. Any
unauthorised copying, disclosure or distribution of the material in this
e-mail is strictly forbidden.


------------------------------------------------------------ ---------
Before posting, please check:
http://www.mysql.com/manual.php (the manual)
http://lists.mysql.com/ (the list archive)

To request this thread, e-mail bugs-thread12332@lists.mysql.com
To unsubscribe, e-mail

Re: Serious exploit concerning privilege system

Hello.

On Wed 2002-08-07 at 21:16:57 +0200, bjoern@gamigo.de wrote:
> > Or did I miss something?
>
> The aspect you missed is that every user has the privileges of that "blank"
> user, since blank space indeed seems to work as a wildcard,

I did not miss that. That is exactly what I said.

> thus, if for instance something goes wrong while inserting new users
> into the database named 'mysql' (as it has happened on our system)
> suddenly every user may have global rights.

What do you mean by "goes wrong"? MySQL happens to use the empty
string as default on (type) errors, but I cannot see how such an error
could occur with "db" being a char field.

If something on your application (or "by hand") side was wrong, well
then you have to expect undefined, and therefore unsecure behaviour.[1]

What I meant to say with my former mail is, that the behaviour seemed
to be the intended one (because it was the documented one) and is not
an unintended misbehaviour (aka bug).

I agree - and never said otherwise - that a more save fall-back
(i.e. giving no right at all) would be nice, if possible, so that an
explicit "%" is needed to mean any database (and in this case, it
seems that Sinisa already implemented it).

Btw, Sinisa, please make sure you update the manual along with your
patch, because IMHO, the old behaviour has been the documented one
(see my other mail), which has been broken by your patch.

Regards,

Benjamin.


[1] This is almost as likely to happen, if you require an explicit "%".

--
benjamin-mysql@pflugmann.de

------------------------------------------------------------ ---------
Before posting, please check:
http://www.mysql.com/manual.php (the manual)
http://lists.mysql.com/ (the list archive)

To request this thread, e-mail bugs-thread12333@lists.mysql.com
To unsubscribe, e-mail

Re: Serious exploit concerning privilege system

> What I meant to say with my former mail is, that the behaviour seemed
> to be the intended one (because it was the documented one) and is not
> an unintended misbehaviour (aka bug).
>
> I agree - and never said otherwise - that a more save fall-back
> (i.e. giving no right at all) would be nice, if possible, so that an
> explicit "%" is needed to mean any database (and in this case, it
> seems that Sinisa already implemented it).

ACK

--
Bjoern Wilmsmann - Systemprogrammierer
gamigo AG
Butterstr. 13
48431 Rheine
Tel. +49 5971-899060
Fax +49 5971-8990611
Email: bjoern@gamigo.de
---------------------------------------
Diese E-Mail enthält vertrauliche und / oder rechtlich geschützte
Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail
irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und
vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte
Weitergabe dieser Mail ist nicht gestattet.

This e-mail may contain confidential and/or privileged information. If you
are not the intended recipient (or have received this e-mail in error)
please notify the sender immediately and destroy this e-mail. Any
unauthorised copying, disclosure or distribution of the material in this
e-mail is strictly forbidden.


------------------------------------------------------------ ---------
Before posting, please check:
http://www.mysql.com/manual.php (the manual)
http://lists.mysql.com/ (the list archive)

To request this thread, e-mail bugs-thread12334@lists.mysql.com
To unsubscribe, e-mail

Re: Serious exploit concerning privilege system

Bjoern Wilmsmann writes:
> > (i.e. giving no right at all) would be nice, if possible, so that an
> > explicit "%" is needed to mean any database (and in this case, it
> > seems that Sinisa already implemented it).
>
> ACK
>
> --
> Bjoern Wilmsmann - Systemprogrammierer
> gamigo AG
> Butterstr. 13
> 48431 Rheine
> Tel. +49 5971-899060
> Fax +49 5971-8990611
> Email: bjoern@gamigo.de

Yes, that is true.

Thanks again for bringing this to our attention.

--
Regards,
__ ___ ___ ____ __
/ |/ /_ __/ __/ __ \/ / Mr. Sinisa Milivojevic
/ /|_/ / // /\ \/ /_/ / /__ MySQL AB, Fulltime Developer
/_/ /_/\_, /___/\___\_\___/ Larnaca, Cyprus
<___/ www.mysql.com


------------------------------------------------------------ ---------
Before posting, please check:
http://www.mysql.com/manual.php (the manual)
http://lists.mysql.com/ (the list archive)

To request this thread, e-mail bugs-thread12337@lists.mysql.com
To unsubscribe, e-mail