13 messages in com.mysql.lists.bugsRe: Serious exploit concerning privil...| From | Sent On | Attachments |
|---|---|---|
| Bjoern Wilmsmann | 07 Aug 2002 03:14 | |
| Sameh Attia | 07 Aug 2002 05:17 | |
| Peter Zaitsev | 07 Aug 2002 05:28 | |
| Bjoern Wilmsmann | 07 Aug 2002 05:45 | |
| Sameh Attia | 07 Aug 2002 07:22 | |
| Sinisa Milivojevic | 07 Aug 2002 08:25 | |
| Peter Zaitsev | 07 Aug 2002 10:10 | |
| Sinisa Milivojevic | 07 Aug 2002 11:56 | |
| Sinisa Milivojevic | 07 Aug 2002 11:58 | |
| Bjoern Wilmsmann | 07 Aug 2002 12:16 | |
| Benjamin Pflugmann | 07 Aug 2002 14:05 | |
| Bjoern Wilmsmann | 07 Aug 2002 17:50 | |
| Sinisa Milivojevic | 08 Aug 2002 05:30 |
| Subject: | Re: Serious exploit concerning privilege system |
|---|---|
| From: | Sinisa Milivojevic (sin...@mysql.com) |
| Date: | 08/07/2002 08:25:38 AM |
| List: | com.mysql.lists.bugs |
Bjoern Wilmsmann writes:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Am Mittwoch, 7. August 2002 14:29 schrieb Peter Zaitsev:
As soon as we get repeatable bug report we'll try to fix this shortly.
Ok, here we go:
We use MySQL 4.0.0. alpha
How-To-Repeat: Execute the following queries: USE mysql; INSERT INTO db (Host, Db, User, Select_priv, Insert_priv, Update_priv, Delete_priv, Create_priv, Drop_priv, Grant_priv, References_priv, Index_priv, Alter_priv) VALUES ('%', '', '', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y')"; INSERT INTO user (Host, User, Password, Select_priv, Insert_priv, Update_priv, Delete_priv, Create_priv, Drop_priv, Reload_priv, Shutdown_priv, Process_priv, File_priv, Grant_priv, References_priv, Index_priv, Alter_priv) VALUES ('%', '', PASSWORD(''), 'N', 'N', 'N', 'N', 'N', 'N', 'N', 'N', 'N', 'N', 'N', 'N', 'N', 'N')"; INSERT INTO db (Host, Db, User, Select_priv, Insert_priv, Update_priv, Delete_priv, Create_priv, Drop_priv, Grant_priv, References_priv, Index_priv, Alter_priv) VALUES ('%', 'testdb', 'testuser', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y', 'Y')"; INSERT INTO user (Host, User, Password, Select_priv, Insert_priv, Update_priv, Delete_priv, Create_priv, Drop_priv, Reload_priv, Shutdown_priv, Process_priv, File_priv, Grant_priv, References_priv, Index_priv, Alter_priv) VALUES ('%', 'testuser', PASSWORD('testpassword'), 'N', 'N', 'N', 'N', 'N', 'N', 'N', 'N', 'N', 'N', 'N', 'N', 'N', 'N')";
After having done so, connect to the MySQL-Server with the user 'testuser' and you will have full access to all databases existing on that system, though 'testuser' is supposed to only have access to the database 'testdb'.
- -- Bjoern Wilmsmann - Systemprogrammierer gamigo® AG Butterstr. 13 48431 Rheine Tel. +49 5971-899060 Fax +49 5971-8990611
Thanks for your test case, which I will test today.
In principle, we discourage meddling directly with privilege tables. We recommend using GRANT / REVOKE insted.
-- Regards, __ ___ ___ ____ __ / |/ /_ __/ __/ __ \/ / Mr. Sinisa Milivojevic <sin...@mysql.com> / /|_/ / // /\ \/ /_/ / /__ MySQL AB, Fulltime Developer /_/ /_/\_, /___/\___\_\___/ Larnaca, Cyprus <___/ www.mysql.com