Bug #31515 show create table on a federated engine table shows userid/password fields
Submitted: 10 Oct 2007 19:10 Modified: 10 Oct 2007 20:20
Reporter: Andrew Carlson Email Updates:
Status: Not a Bug Impact on me:
None 
Category:MySQL Server: Federated storage engine Severity:S3 (Non-critical)
Version:5.0.45-community-nt-log OS:Any
Assigned to: CPU Architecture:Any

[10 Oct 2007 19:10] Andrew Carlson 
Description:
Doing a 'show create table' on a federated engine table shows the userid and password.  I even created a user with only the select privilege, and it still showed userd and password.  Unless there is a separate userid/password on the hosting system, it seems like this gives info that could be used to attack the hosting system.

How to repeat:
create a federated storage engine table, then do 'show create table'

Suggested fix:
I would suggest leaving out the connection information for lower levels of security.
[10 Oct 2007 20:20] Sveta Smirnova 
Thank you for taking the time to write to us, but this is not a bug. Please double-check the documentation available at http://dev.mysql.com/doc/ and the instructions on
how to report a bug at http://bugs.mysql.com/how-to-report.php

According to http://dev.mysql.com/doc/refman/5.0/en/federated-use.html: "Because any password given in the connection string is stored as plain text, it can be seen by any user who can use SHOW CREATE TABLE or SHOW TABLE STATUS for the FEDERATED table, or query the TABLES table in the INFORMATION_SCHEMA database." this is expected behaviour.