Bug #43287 mysql user's password exposed through mysql administrator
Submitted: 1 Mar 2009 11:57 Modified: 15 Jan 2010 11:54
Reporter: josh haglund Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Workbench Severity:S2 (Serious)
Version:5.1,5.2 OS:Any (Ubuntu 8.10, MacOSX)
Assigned to: Alexander Musienko CPU Architecture:Any
Tags: CHECKED, password, root, Security

[1 Mar 2009 11:57] josh haglund 
Description:
A user running the MySQL Administrator can expose their mysql account's password to other users/processes in a system.

The problem is that the full connection info (with user/pass) is passed as an argument to the terminal window used to start the MySQL Text Console.

When the MySQL Text Console is open, any user who can run ps can see the complete connection information used to log into MySQL Administrator.

How to repeat:
Connect to a server using MySQL Administrator
Open 'Tools->MySQL Text Console'
Open a terminal window
 ~$ ps aux | grep mysql

and you will see a terminal process with all the connection info

Suggested fix:
write the mysql password to a temp file with permissions denying all but the current user read/write.

Then initiate the terminal process feeding the password in as a file path argument -- in the mysql argument list, after -p, instead of entering the password, put `cat /path/to/tmp/file/with/pass`

then cleanup -- delete the password file after successfully logging into mysql
[1 Mar 2009 12:02] josh haglund 
On second thought, that suggested fix won't work.  pass would still be exposed.
[3 Mar 2009 11:51] Susanne Ebrecht 
Many thanks for writing a bug report. Because we are on the way to implement full functionality of MySQL Administrator into MySQL Workbench we won't fix this anymore in MySQL Administrator.

But you hint is very important for MySQL Workbench as well. 

So I will change category here and will test if our workbench release will be affected too.
[19 Oct 2009 7:04] Susanne Ebrecht 
I will look if this still is true for Workbench 5.2
[11 Dec 2009 7:51] Giuseppe Maxia 
screen shot of the password exposure

Attachment: Screen shot 2009-12-11 at 08.48.19 .png (image/png, text), 157.20 KiB.
[11 Dec 2009 7:52] Giuseppe Maxia 
The attached screen shot above documents the password exposure. 
The password of the remote server is "testpwd". As you can see, after the user inserts the password in a masked form, it is written clearly in the log.
[15 Dec 2009 19:01] Maksym Yehorov 
Giuseppe, maybe I missed that part, but can you tell us client and server OS?
client is a box where Workbench is run,
server - respectively where server runs.
Also is it the same machine or two boxes?
[15 Dec 2009 19:23] Giuseppe Maxia 
Maksym,
Server and client are two Mac OSX laptops with Snow Leopard.
There are two separate machines. WB is connecting using an SSH tunnel with SSH key.
[18 Dec 2009 9:16] Giuseppe Maxia 
Actually, there are two password exposure problems:
* one is in the main  admin screen (where the start/stop button is), and this exposes the operating system password asked for "sudo".
* the other is in the dump screen, where the mysql user password is exposed.
[18 Dec 2009 14:26] Maksym Yehorov 
Password exposing via logs is fixed.
[13 Jan 2010 13:20] Johannes Taxacher 
this has been fixed in workbench 5.2 now. UI doesn't display the password anymore and we're using temp files to hold the connection info which we're passing to the client-/dump-binary.
changes will be included in 5.2.12
[15 Jan 2010 11:54] Tony Bedford 
A 'security fix' entry has been added to the 5.2.12 changelog:

The password for the connected MySQL Server was exposed by the SQL Administrator in MySQL Workbench. The password was displayed in plain text form in the Startup Message Log on the Startup tab of the Admin page.