Security vulnerability

am 01.10.2002 13:24:49 von Plesk Support

SEND-PR: -*- send-pr -*-
SEND-PR: Lines starting with `SEND-PR' will be removed automatically, as
SEND-PR: will all comments (text enclosed in `<' and `>').
SEND-PR:
From: kmv@plesk.com
To: mysql@lists.mysql.com
Subject: security vulnerability

Description:
Any user in mysql can create as many databases as he wants.
Create a user with 1 database, and let him create database with name
"my_data_base". Log into mysql console as user and run command:

CREATE DATABASE "my?data?base";

New database will be created and user can create tables and use it as normal
database. You can also create "my?data_base", "my_data?base", or try
to use *,$, #, a-z, A-Z.... and other symbols instead of underlines "_" ...

I've just tried to log into MySQL console as usual non-privileged user with
N,N,N,N... permissions in "mysql.user" and tried to create some base with
another names -- no permissons error. However I COULD create 5 databases
with names similar to "my_data_base"... I can operate them (as this
user) without
problems. Seems like huge hole in our MySQL (or MySQL at all).

>How-To-Repeat:
>Fix: lines)> >Submitter-Id: >Originator: >Organization: > >MySQL support: [none | licence | email support | extended email support ] >Synopsis: Severity: critical Priority: high Category: mysql >Class: <[ sw-bug | doc-bug | change-request | support ] (one line)> Release: mysql-3.23.46 (Source distribution) ------------------------------------------------------------ --------- Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail bugs-thread12630@lists.mysql.com To unsubscribe, e-mail



Re: Security vulnerability
am 01.10.2002 15:49:05 von Sergei Golubchik
Hi!



On Oct 01, Plesk Support wrote:



>         Any user in mysql can create as many databases as he wants.

> Create a user with 1 database, and let him create database with name

> "my_data_base". Log into mysql console as user and run command:

> 

> CREATE DATABASE "my?data?base";

> 

> New database will be created and user can create tables and use it as normal

> database. You can also create "my?data_base", "my_data?base", or try

> to use *,$, #, a-z, A-Z.... and other symbols instead of underlines "_" ...

> 

> I've just tried to log into MySQL console as usual non-privileged user with

> N,N,N,N... permissions in "mysql.user" and tried to create some base with

> another names -- no permissons error. However I COULD create 5 databases

> with names similar to "my_data_base"... I can operate them (as this 

> user) without

> problems. Seems like huge hole in our MySQL (or MySQL at all).



No, it is not.



As noted in the manual

("Access Control, Stage 2: Request Verification" section),

mysql.db and mysql.host tables accept

wildcards in Db and Host fields of either table.



We will add a note to GRANT section to make it more clear, thank you for

the hint.



Regards,

Sergei



-- 

MySQL Development Team

   __  ___     ___ ____  __

  /  |/  /_ __/ __/ __ \/ /   Sergei Golubchik 

 / /|_/ / // /\ \/ /_/ / /__  MySQL AB, http://www.mysql.com/

/_/  /_/\_, /___/\___\_\___/  Osnabrueck, Germany

       <___/



 ------------------------------------------------------------ ---------

Before posting, please check:

   http://www.mysql.com/manual.php   (the manual)

   http://lists.mysql.com/           (the list archive)



To request this thread, e-mail bugs-thread12631@lists.mysql.com

To unsubscribe, e-mail 


Re: Security vulnerability
am 01.10.2002 15:49:05 von Sergei Golubchik
Hi!



On Oct 01, Plesk Support wrote:



>         Any user in mysql can create as many databases as he wants.

> Create a user with 1 database, and let him create database with name

> "my_data_base". Log into mysql console as user and run command:

> 

> CREATE DATABASE "my?data?base";

> 

> New database will be created and user can create tables and use it as normal

> database. You can also create "my?data_base", "my_data?base", or try

> to use *,$, #, a-z, A-Z.... and other symbols instead of underlines "_" ...

> 

> I've just tried to log into MySQL console as usual non-privileged user with

> N,N,N,N... permissions in "mysql.user" and tried to create some base with

> another names -- no permissons error. However I COULD create 5 databases

> with names similar to "my_data_base"... I can operate them (as this 

> user) without

> problems. Seems like huge hole in our MySQL (or MySQL at all).



No, it is not.



As noted in the manual

("Access Control, Stage 2: Request Verification" section),

mysql.db and mysql.host tables accept

wildcards in Db and Host fields of either table.



We will add a note to GRANT section to make it more clear, thank you for

the hint.



Regards,

Sergei



-- 

MySQL Development Team

   __  ___     ___ ____  __

  /  |/  /_ __/ __/ __ \/ /   Sergei Golubchik 

 / /|_/ / // /\ \/ /_/ / /__  MySQL AB, http://www.mysql.com/

/_/  /_/\_, /___/\___\_\___/  Osnabrueck, Germany

       <___/



 ------------------------------------------------------------ ---------

Before posting, please check:

   http://www.mysql.com/manual.php   (the manual)

   http://lists.mysql.com/           (the list archive)



To request this thread, e-mail bugs-thread12631@lists.mysql.com

To unsubscribe, e-mail 



Index | 
Impressum | 
Datenschutz | 
XODOX