Bug #25148 user history accessible to others
Submitted: 18 Dec 2006 15:57 Modified: 27 Jan 2013 19:44
Reporter: luca nanetti Email Updates:
Status: No Feedback Impact on me:
None 
Category:MySQL Server: Command-line Clients Severity:S4 (Feature request)
Version:5.0.27-community-nt OS:Windows (win xp)
Assigned to: CPU Architecture:Any
Tags: accessibility, history, users

[18 Dec 2006 15:57] luca nanetti 
Description:
say, a user 'bob' connects to a database using the command line client mysql.exe; he enters various commands, use databasename, selects, any.

bob enters 'quit' to exit to the dos prompt, and he doesn't close the command prompt window

a user 'alice' uses the same dos command prompt to connect to the same database server; using arrow keys she can then access bob's history.

that's bad, because this way alice can:
a) get informations about databases she was not authorized to know
b) get informations about bob's privileges, if she knows that bob was the previous user

How to repeat:
open a command prompt window

access the database server using mysql.exe, as user 'bob'

execute some command

quit, don't close the the command prompt window

using the same command prompt window, access as user 'alice'

using the up and down arrow keys, you'll see bob's history

Suggested fix:
I assume that history is preserved somewhere locally; destroy it on 'quit' command.
[18 Dec 2006 19:56] Valeriy Kravchuk 
Thank you for a problem report. Sorry, but this (having the history of commends entered) is, in fact, a default behaviour of cmd.exe command line window. MySQL command line client does not store these anywhere.

Can you, please, explain me (just copy and paste command line window session), how this can happen:

"... this way alice can:
a) get informations about databases she was not authorized to know
b) get informations about bob's privileges, if she knows that bob was the
previous user"

if previous user exited, and had NOT (!) provided his MySQL password in the mysql command line? If he used: 

mysql -uroot -ppass

then he also could just write that password on a sticky note and post it on the monitor... MySQL can not fix peoples behaviour.
[27 Dec 2012 19:44] MySQL Verification Team 
I'd recommend alice and bob get individual windows login accounts.  After that, will this still be an issue?  I see no bug here, neither a reasonable feature request..
[28 Jan 2013 1:00] Bugs System 
No feedback was provided for this bug for over a month, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".