Bug #22098 MySQL Admin not properly dealing with passwords for Text Console
Submitted: 7 Sep 2006 21:45 Modified: 11 Sep 2006 14:39
Reporter: Joshua Kugler (Basic Quality Contributor) Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Administrator Severity:S1 (Critical)
Version:1.1.11 OS:Linux (Linux (tar.gz download))
Assigned to: Alfredo Kojima CPU Architecture:Any

[7 Sep 2006 21:45] Joshua Kugler 
Description:
1. When a mysql password contains a $, the rest of the password is cut off due to bash shell rules.  Thus, if the password is var$xxx, what gets passed to mysql is -pvar.  I would assume it would also do odd things if a ';' was in the password. I did not verify that.  This is also a possible security hole, as arbitrary shell commands could be run...but someone would have to set the user's password to something malicious first.

2. The user's password (in its entirety, oddly enough) is used to set the title of the console window that opens up, so now anyone looking over your shoulder while you are using the text console.  This is a major security glitch.

How to repeat:
move mysql to mysql.real

Create a bash script named /usr/bin/mysql that contains:

#!/bin/sh
mysql.real $@
echo $@
read x

MySQL Admin will run this, and pause, allowing you to read the error message.

Suggested fix:
Properly escape passwords before passing them to the shell.

Don't use the password as the shell window's title.
[11 Sep 2006 14:39] Alfredo Kojima 
Thank you for your bug report. This issue has been committed to our source repository of that product and will be incorporated into the next release.

If necessary, you can access the source repository and build the latest available version, including the bug fix. More information about accessing the source trees is available at

    http://dev.mysql.com/doc/en/installing-source.html