Bug #42864 Please provide a new 'meta' privilege
Submitted: 15 Feb 2009 8:18 Modified: 29 Jul 2009 21:18
Reporter: Pantelis Koukousoulas Email Updates:
Status: Verified Impact on me:
None 
Category:MySQL Server: Security: Privileges Severity:S4 (Feature request)
Version: OS:Any
Assigned to: CPU Architecture:Any

[15 Feb 2009 8:18] Pantelis Koukousoulas
Description:
Currently there is no privilege to disallow 'meta' queries in MySQL. I define 'meta' queries to be the likes of 'SHOW TABLES', database(), system_user(), SHOW GRANTS and all queries to the information_schema.

The fact is, for most simple webapps that are prone to sql injection bugs, the above queries are not needed at all and are only useful to attackers.

The above queries also allow people to write essays/presentations of the type:
"How to hack a MySQL database in 3 easy steps", which is (should be?) imho a
bit embarrassing.

Without 'meta queries'/introspection, someone that has found an SQL injection vuln will have to recover the structure of the database mostly by guesswork which will probably make the life of the attacker a bit harder.

I make no claim that this will solve the sql injection problem or anything and indeed all vulnerable applications should be fixed, but disallowing the above queries would quite likely make a *lot* of "hacking for dummies" howtos out there useless and this has several positive side effects :-)

Anyway, the ability to disable features that are useless (in a given context) except as attack vectors is system security 101.

Note that typically this privilege would be set to 'N' for the user the application uses to 

How to repeat:
1) Create a test database and a test user

2) Give the user only a 'select' privilege on the database.

3) login with the mysql shell

4) SHOW TABLES works
   SHOW GRANTS works
   SHOW DATABASES works and shows the current database and information_schema
   ...

The above means that once you can issue queries against a database (through a vulnerability), it is a straightforward, deterministic process to get all the info you want from all the tables of this database. It would be nice if that
wasn't the case.

Suggested fix:
1) Introduce e.g., a 'META' privilege.

2) This would default to 'Y' for all existing databases
   for backwards compatibility reasons.

3) Check this privilege for all the above 'meta' queries and only answer
   if it is 'Y', otherwise 'permission denied'
[15 Feb 2009 8:25] Pantelis Koukousoulas
Btw, I 'd expect those queries to be a slowpath for even the apps that need them so the extra check is unlikely to cause any major performance problems.
[15 Feb 2009 8:30] Pantelis Koukousoulas
Also, there are current workarounds like turning each table a database (intrusive, amazingly ugly) or using mysql_proxy to filter those queries
(unnecessarily introducing an extra point of failure) but a simple additional
privilege would be preferable imho.

Mysql_proxy + a form of machine learning would still be the better solution if you want to context-sensitively disallow some application-level queries or something of similar complexity but not for the simple case.
[29 Jul 2009 21:18] Sveta Smirnova
Thank you for the feature request.

Although I'd say this is not necessary, because you can use VIEWs to hide data about table structures.