Bug #38837 need a way to disable information_schema for security
Submitted: 17 Aug 2008 4:01
Reporter: Morgan Tocker Email Updates:
Status: Verified Impact on me:
None 
Category:MySQL Server: Information schema Severity:S3 (Non-critical)
Version:5.0+ OS:Any
Assigned to: CPU Architecture:Any

[17 Aug 2008 4:01] Morgan Tocker 
Description:
With just 'usage' privilege I can do this:
mysql> select * from GLOBAL_VARIABLES a, GLOBAL_VARIABLES b, GLOBAL_VARIABLES c;

I shouldn't be able to.  I can also union on information_schema (couldn't on show commands), so  it assists in SQL injection:

mysql> SELECT session_data FROM sessions WHERE sessid='eab71244afb687f16d8c4f5ee9d6ef0e' AND 1=0 UNION SELECT GROUP_CONCAT(table_name) FROM information_schema.tables where table_schema=DATABASE() GROUP BY table_schema;

How to repeat:
Upgrade from 4.1 to 5.0.  Have insecure application.

Suggested fix:
--disable-information-schema configuration directive, or similar.
[25 Nov 2009 6:46] Marc ALFF 
A possible fix for 5.6:

With the work done in WL#2360 for the performance schema ACL and information schema ACL, this feature can be implemented by returning:

ACL_INTERNAL_ACCESS_CHECK_GRANT
instead of
ACL_INTERNAL_ACCESS_GRANTED
in 
IS_internal_schema_access::check()