Bug #16418 Events: Security breach
Submitted: 12 Jan 2006 4:09 Modified: 22 Mar 2006 15:25
Reporter: Peter Gulutzan Email Updates:
Status: Can't repeat Impact on me:
None 
Category:MySQL Server: Stored Routines Severity:S3 (Non-critical)
Version: OS:
Assigned to: Andrey Hristov CPU Architecture:Any

[12 Jan 2006 4:09] Peter Gulutzan 
Description:
Suppose a user has EVENT privilege, and has SELECT
privilege on table t2, but does not have SELECT
privilege on table t1. There's a way that user
can find out what's in table t1.

How to repeat:

As user root, say:
CREATE TABLE t1 (s1 INT);
CREATE TABLE t2 (s1 INT);
GRANT EVENT ON *.* TO x@localhost;
GRANT SELECT ON t2 TO x@localhost;
SET GLOBAL event_scheduler = 1;
INSERT INTO t1 VALUES (0);

As user x@localhost, say:
CREATE EVENT e_25
ON SCHEDULE EVERY 1 MINUTE
DO INSERT INTO db1.t2 SELECT * FROM db1.t1;

Now, by selecting from t2, x@localhost can see
the contents of t1.
[12 Jan 2006 14:55] MySQL Verification Team 
Hi Peter,

I was unable to repeat:

miguel@hegel:~/dbs/5.1> bin/mysql -uroot test
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 3 to server version: 5.1.6-alpha-debug

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> CREATE TABLE t1 (s1 INT);
Query OK, 0 rows affected (0.01 sec)

mysql> CREATE TABLE t2 (s1 INT);
Query OK, 0 rows affected (0.00 sec)

mysql> GRANT EVENT ON *.* TO x@localhost;
Query OK, 0 rows affected (0.01 sec)

mysql> GRANT SELECT ON t2 TO x@localhost;
Query OK, 0 rows affected (0.00 sec)

mysql> SET GLOBAL event_scheduler = 1;
Query OK, 0 rows affected (0.00 sec)

mysql> INSERT INTO t1 VALUES (0);
Query OK, 1 row affected (0.00 sec)

mysql> exit
Bye
miguel@hegel:~/dbs/5.1> bin/mysql -ux test
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 5 to server version: 5.1.6-alpha-debug

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> CREATE EVENT e_25
    -> ON SCHEDULE EVERY 1 MINUTE
    -> DO INSERT INTO db1.t2 SELECT * FROM db1.t1;
ERROR 1044 (42000): Access denied for user 'x'@'localhost' to database 'test'
[13 Feb 2006 0:02] Bugs System 
No feedback was provided for this bug for over a month, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".
[19 Feb 2006 1:13] Andrey Hristov 
I suppose he had old mysql.user/mysql.db tables which does not include Event_priv. Maybe it's good to be retested with current BK,  or well once the fix for #16992 is approved and pushed. The scheduler checks whether mysql.event is tampered and whether mysql.db and mysql.user has Event_priv. If not present it will cease to work with an error message (on the console).
[22 Mar 2006 15:25] MySQL Verification Team 
I was not able to repeat the behavior reported.