Bug #28565 | Information disclosure during SELECT | ||
---|---|---|---|
Submitted: | 21 May 2007 15:39 | Modified: | 8 Jun 2007 11:14 |
Reporter: | Andrey Hristov | Email Updates: | |
Status: | Verified | Impact on me: | |
Category: | MySQL Server: Security: Privileges | Severity: | S3 (Non-critical) |
Version: | 5.1, 5.0 | OS: | Any |
Assigned to: | Assigned Account | CPU Architecture: | Any |
[21 May 2007 15:39]
Andrey Hristov
[8 Jun 2007 11:14]
Sveta Smirnova
Thank you for the report. Verified as described.
[27 Jun 2007 20:29]
Mr Wakazula
I too came across the same problem. Currently an error is thrown. It would be great if "SELECT * FROM SampleTable" would return only the fields for which you have access. For example: CREATE TABLE `test`.`SampleTable` ( `VisibleField1` BIGINT UNSIGNED NOT NULL AUTO_INCREMENT, `HiddenField2` VARCHAR(45) NOT NULL, `VisibleField3` VARCHAR(45) NOT NULL, PRIMARY KEY (`VisibleField1`) ) ENGINE = InnoDB; If the current user only had sufficient privileges to `VisibleField1` and `VisibleField3`, then "SELECT * FROM SampleTable" should return: +---------------+---------------+ | VisibleField1 | VisibleField3 | +---------------+---------------+ | 1 | sample data | | 2 | sample data | | 3 | sample data | +---------------+---------------+ and not +---------------+--------------+---------------+ | VisibleField1 | HiddenField2 | VisibleField3 | +---------------+--------------+---------------+ | 1 | hidden data | sample data | | 2 | hidden data | sample data | | 3 | hidden data | sample data | +---------------+--------------+---------------+
[24 Jul 2007 12:55]
Mr Wakazula
Good morning. Does anyone know if there plans to roll a fix into MySql server for this issue?