Bug #43287 | mysql user's password exposed through mysql administrator | ||
---|---|---|---|
Submitted: | 1 Mar 2009 11:57 | Modified: | 15 Jan 2010 11:54 |
Reporter: | josh haglund | Email Updates: | |
Status: | Closed | Impact on me: | |
Category: | MySQL Workbench | Severity: | S2 (Serious) |
Version: | 5.1,5.2 | OS: | Any (Ubuntu 8.10, MacOSX) |
Assigned to: | Alexander Musienko | CPU Architecture: | Any |
Tags: | CHECKED, password, root, Security |
[1 Mar 2009 11:57]
josh haglund
[1 Mar 2009 12:02]
josh haglund
On second thought, that suggested fix won't work. pass would still be exposed.
[3 Mar 2009 11:51]
Susanne Ebrecht
Many thanks for writing a bug report. Because we are on the way to implement full functionality of MySQL Administrator into MySQL Workbench we won't fix this anymore in MySQL Administrator. But you hint is very important for MySQL Workbench as well. So I will change category here and will test if our workbench release will be affected too.
[19 Oct 2009 7:04]
Susanne Ebrecht
I will look if this still is true for Workbench 5.2
[11 Dec 2009 7:51]
Giuseppe Maxia
screen shot of the password exposure
Attachment: Screen shot 2009-12-11 at 08.48.19 .png (image/png, text), 157.20 KiB.
[11 Dec 2009 7:52]
Giuseppe Maxia
The attached screen shot above documents the password exposure. The password of the remote server is "testpwd". As you can see, after the user inserts the password in a masked form, it is written clearly in the log.
[15 Dec 2009 19:01]
Maksym Yehorov
Giuseppe, maybe I missed that part, but can you tell us client and server OS? client is a box where Workbench is run, server - respectively where server runs. Also is it the same machine or two boxes?
[15 Dec 2009 19:23]
Giuseppe Maxia
Maksym, Server and client are two Mac OSX laptops with Snow Leopard. There are two separate machines. WB is connecting using an SSH tunnel with SSH key.
[18 Dec 2009 9:16]
Giuseppe Maxia
Actually, there are two password exposure problems: * one is in the main admin screen (where the start/stop button is), and this exposes the operating system password asked for "sudo". * the other is in the dump screen, where the mysql user password is exposed.
[18 Dec 2009 14:26]
Maksym Yehorov
Password exposing via logs is fixed.
[13 Jan 2010 13:20]
Johannes Taxacher
this has been fixed in workbench 5.2 now. UI doesn't display the password anymore and we're using temp files to hold the connection info which we're passing to the client-/dump-binary. changes will be included in 5.2.12
[15 Jan 2010 11:54]
Tony Bedford
A 'security fix' entry has been added to the 5.2.12 changelog: The password for the connected MySQL Server was exposed by the SQL Administrator in MySQL Workbench. The password was displayed in plain text form in the Startup Message Log on the Startup tab of the Admin page.