RE: MySQL 5.0 information leak?



It's not semantics at all. Every password is a piece of undisclosed
information and NOBODY views that as security by obscurity. It's the corner
stone of AAA ... Something you know, something you have, something about
you.

-----Burton

-----Original Message-----
From: Lance James [mailto:bugtraq@xxxxxxxxxxxxxxxxx]
Sent: Sunday, January 22, 2006 10:48 AM
To: Burton Strauss
Cc: 'Bernd Wurst'; bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: MySQL 5.0 information leak?

Burton Strauss wrote:

>I'd get a refund on your coinage... root's password is not security by
>obscurity, it is an undisclosed piece of information. There is a big
>difference.
>
>

Now we're arguing symantics, undislosed information would also by the MySQL
information leak problem then too, as Bernd doesn't want to disclose such
information to an attacker.

>-----Burton
>
>-----Original Message-----
>From: Lance James [mailto:bugtraq@xxxxxxxxxxxxxxxxx]
>Sent: Saturday, January 21, 2006 2:09 PM
>To: Burton Strauss
>Cc: 'Bernd Wurst'; bugtraq@xxxxxxxxxxxxxxxxx
>Subject: Re: MySQL 5.0 information leak?
>
>Burton Strauss wrote:
>
>
>
>>Traditionally the schema for a database is NOT secure information.
>>Applications download this information to build queries on the fly.
>>
>>The essential problem is relying on security by obscurity, "I have
>>user accounts (nss) that have publicly available credentials but noone
>>[sic] should be able to see how the database really is organized".
>>
>>
>>
>>
>
>Denying the security through obscurity is not applicable could be
incorrect.
>It does have it's place i.e. what's your root password?
>
>In WebAppSec, security by obscurity assists in deterring attackers, and
>buying some time. So if one can prevent full disclosure of the schema
>of the db, that can be useful combined with security in depth.
>
>my two cents.
>
>-Lance
>
>
>
>>-----Burton
>>
>>-----Original Message-----
>>From: Bernd Wurst [mailto:bernd@xxxxxxxxxx]
>>Sent: Friday, January 20, 2006 6:05 AM
>>To: bugtraq@xxxxxxxxxxxxxxxxx
>>Subject: MySQL 5.0 information leak?
>>
>>Hi.
>>
>>I just upgraded to mysql 5.0.18 and started using all those cool new
>>features. :)
>>
>>But concerning VIEWs, I think the information_schema is too verbose to
>>the user. I started creating a VIEW that searches information from
>>several tables, mangles the data and gives the user a clean table with
>>his data. So far, so good.
>>
>>But I only give the user access to this VIEW, so he cannot see what's
>>done to get his data from several tables.
>>
>>SHOW CREATE VIEW myview;
>>does (correctly) result in an error that the user is not allowed to
>>see the CREATE VIEW.
>>
>>But SELECT * FROM information_schema.views; returns the full query
>>that ceates the desired VIEW.
>>
>>I think of this as a security issue because I have user accounts (nss)
>>that have publicly available credentials but noone should be able to
>>see how the database really is organized.
>>
>>What do you think of this? Bug?
>>
>>cu, Bernd
>>
>>--
>>Windows Error 019: User error. It's not our fault. Is not! Is not!
>>
>>
>>
>>
>>
>>
>
>
>
>



Relevant Pages

  • RE: Concepts: Security and Obscurity
    ... resources are limited and thus there is a cost to life. ... It is not obscurity in the manner being ... more you spend on security the less of an advantage is gained. ... It also ignores the requirements of a control function. ...
    (Security-Basics)
  • RE: Re: Concepts: Security and Obscurity
    ... so long as you understand that the server location and port number ... security in the slightest." ... Beale's assertion that "Obscurity Potentially Slows Down the Attacker". ... BDO Kendalls is a national association of separate partnerships and entities. ...
    (Security-Basics)
  • Re: NAT external/Public IP
    ... I remember working for an ISP a long while back that was threatened to be disconnected from the Internet if they did not stop routing the 10.x range in their BGP tables. ... Any views expressed in this message are those of the individual sender and not necessarily endorsed by BDO Kendalls. ... Why not Security by Design plus Security by Obscurity? ...
    (Security-Basics)
  • RE: Concepts: Security and Obscurity
    ... Subject: Concepts: Security and Obscurity ... I have at no point claimed absolute security measures or cost ... It also ignores the requirements of a control function. ...
    (Security-Basics)
  • RE: Re: Concepts: Security and Obscurity
    ... Subject: Concepts: Security and Obscurity ... BDO Kendalls is a national association of separate partnerships and entities. ... Maybe we can all agree that "port obscurity" is a special case of STO. ...
    (Security-Basics)