Bug #50276 Security flaw in INFORMATION_SCHEMA.TABLES
Submitted: 12 Jan 2010 14:51 Modified: 12 Mar 2010 16:27
Reporter: Tushar Mahale Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server: Information schema Severity:S1 (Critical)
Version:5.1.35, 5.5.99 OS:Linux
Assigned to: Georgi Kodinov CPU Architecture:Any
Tags: regression
Triage: Triaged: D2 (Serious)

[12 Jan 2010 14:51] Tushar Mahale
Description:
I am on MySQL version 5.1.35. A user can see a table in information_schema.tables on which the he does not have any privileges:

information_schema.tables wouldnt show such tables to the user on 5.1.15.

Is this a know bug and fixed in some later version?

How to repeat:
mysql> use test
Database changed
mysql> create table t1 (id int);
Query OK, 0 rows affected (0.01 sec)

mysql> select user();
+----------------+
| user()         |
+----------------+
| root@localhost | 
+----------------+
1 row in set (0.01 sec)

mysql> create user 'dummy'@'localhost';
Query OK, 0 rows affected (0.00 sec)

------- login as dummy user -------

mysql> use information_schema
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> select * from TABLES where TABLE_NAME='t1';
+---------------+--------------+------------+------------+--------+---------+------------+------------+----------------+-------------+------------------+--------------+-----------+----------------+---------------------+---------------------+------------+-------------------+----------+----------------+---------------+
| TABLE_CATALOG | TABLE_SCHEMA | TABLE_NAME | TABLE_TYPE | ENGINE | VERSION | ROW_FORMAT | TABLE_ROWS | AVG_ROW_LENGTH | DATA_LENGTH | MAX_DATA_LENGTH  | INDEX_LENGTH | DATA_FREE | AUTO_INCREMENT | CREATE_TIME         | UPDATE_TIME         | CHECK_TIME | TABLE_COLLATION   | CHECKSUM | CREATE_OPTIONS | TABLE_COMMENT |
+---------------+--------------+------------+------------+--------+---------+------------+------------+----------------+-------------+------------------+--------------+-----------+----------------+---------------------+---------------------+------------+-------------------+----------+----------------+---------------+
| NULL          | test         | t1         | BASE TABLE | MyISAM |      10 | Fixed      |          0 |              0 |           0 | 1970324836974591 |         1024 |         0 |           NULL | 2010-01-12 06:47:03 | 2010-01-12 06:47:03 | NULL       | latin1_swedish_ci |     NULL |                |               | 
+---------------+--------------+------------+------------+--------+---------+------------+------------+----------------+-------------+------------------+--------------+-----------+----------------+---------------------+---------------------+------------+-------------------+----------+----------------+---------------+
1 row in set (0.00 sec)

mysql> select user();
+-----------------+
| user()          |
+-----------------+
| dummy@localhost | 
+-----------------+
1 row in set (0.00 sec)
[12 Jan 2010 20:54] Sveta Smirnova
Thank you for taking the time to write to us, but this is not a bug. Please double-check the documentation available at http://dev.mysql.com/doc/ and the instructions on
how to report a bug at http://bugs.mysql.com/how-to-report.php

Please read at http://dev.mysql.com/doc/refman/5.1/en/default-privileges.html about special privileges for database test.
[13 Jan 2010 6:54] Tushar Mahale
How come it is not a bug? The bug can very well be reproduced on any other database. Please use any other DB than "test", the bug will be reproduced.
[13 Jan 2010 7:06] Tushar Mahale
mysql> create database my_db;
Query OK, 1 row affected (0.00 sec)

mysql> use my_db;
Database changed
mysql> create table t1 (id int);
Query OK, 0 rows affected (0.01 sec)

mysql> select user();
+----------------+
| user()         |
+----------------+
| root@localhost | 
+----------------+
1 row in set (0.00 sec)

mysql> create user 'dummy'@'localhost';
Query OK, 0 rows affected (0.00 sec)

--- login as dummy ---

mysql> use information_schema
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> select * from TABLES where TABLE_NAME='t1';
+---------------+--------------+------------+------------+--------+---------+------------+------------+----------------+-------------+------------------+--------------+-----------+----------------+---------------------+---------------------+------------+-------------------+----------+----------------+---------------+
| TABLE_CATALOG | TABLE_SCHEMA | TABLE_NAME | TABLE_TYPE | ENGINE | VERSION | ROW_FORMAT | TABLE_ROWS | AVG_ROW_LENGTH | DATA_LENGTH | MAX_DATA_LENGTH  | INDEX_LENGTH | DATA_FREE | AUTO_INCREMENT | CREATE_TIME         | UPDATE_TIME         | CHECK_TIME | TABLE_COLLATION   | CHECKSUM | CREATE_OPTIONS | TABLE_COMMENT |
+---------------+--------------+------------+------------+--------+---------+------------+------------+----------------+-------------+------------------+--------------+-----------+----------------+---------------------+---------------------+------------+-------------------+----------+----------------+---------------+
| NULL          | my_db        | t1         | BASE TABLE | MyISAM |      10 | Fixed      |          0 |              0 |           0 | 1970324836974591 |         1024 |         0 |           NULL | 2010-01-12 22:52:47 | 2010-01-12 22:52:47 | NULL       | latin1_swedish_ci |     NULL |                |               | 
+---------------+--------------+------------+------------+--------+---------+------------+------------+----------------+-------------+------------------+--------------+-----------+----------------+---------------------+---------------------+------------+-------------------+----------+----------------+---------------+
1 row in set (0.00 sec)

mysql> select user();
+-----------------+
| user()          |
+-----------------+
| dummy@localhost | 
+-----------------+
1 row in set (0.00 sec)
[13 Jan 2010 7:14] Sveta Smirnova
Thank you for the feedback.

Verified as described. Version 5.0 is not affected.

Test case for MTR:

create table t1 (id int);
create database db1;
use db1;
create table t1 (id int);
create user 'dummy'@'localhost';

connect (addcondummy, localhost, dummy,,);
connection addcondummy;
use information_schema;
select * from TABLES where TABLE_NAME='t1';
select user();
show grants;
[21 Jan 2010 15:14] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/97737

3330 Georgi Kodinov	2010-01-21
      Bug #50276: Security flaw in INFORMATION_SCHEMA.TABLES
      
      check_access() returning false for a database does not
      guarantee that the access is granted to it.
      This wrong condition in filling the INFORMATION_SCHEMA
      tables causes extra tables to be returned to the user
      even if he has no rights to see them.
      Fixed by correcting the condition.
[2 Feb 2010 17:07] Bugs System
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/98981

3351 Georgi Kodinov	2010-01-21
      Bug #50276: Security flaw in INFORMATION_SCHEMA.TABLES
      
      check_access() returning false for a database does not
      guarantee that the access is granted to it.
      This wrong condition in filling the INFORMATION_SCHEMA
      tables causes extra tables to be returned to the user
      even if he has no rights to see them.
      Fixed by correcting the condition.
[4 Feb 2010 10:20] Bugs System
Pushed into 5.1.44 (revid:joro@sun.com-20100204101444-2j32mhqroo0iiio6) (version source revid:joro@sun.com-20100121151410-lc5d91r4pszil23j) (merge vers: 5.1.43) (pib:16)
[5 Feb 2010 11:50] Bugs System
Pushed into mysql-next-mr (revid:alik@sun.com-20100204063540-9czpdmpixi3iw2yb) (version source revid:alik@sun.com-20100203202658-iycf0y6ozq9r2g2y) (pib:16)
[5 Feb 2010 11:56] Bugs System
Pushed into 6.0.14-alpha (revid:alik@sun.com-20100205113942-oqovjy0eoqbarn7i) (version source revid:alik@sun.com-20100204064210-ljwanqvrjs83s1gq) (merge vers: 6.0.14-alpha) (pib:16)
[5 Feb 2010 12:01] Bugs System
Pushed into 5.5.2-m2 (revid:alik@sun.com-20100203172258-1n5dsotny40yufxw) (version source revid:alik@sun.com-20100203172258-1n5dsotny40yufxw) (merge vers: 5.5.2-m2) (pib:16)
[10 Feb 2010 18:33] Paul Dubois
Noted in 5.1.44, 5.5.2, 6.0.14 changelogs.

A user could see tables in INFORMATION_SCHEMA.TABLES without
appropriate privileges for them. 

Setting report to Need Merge pending push to Celosia.
[12 Mar 2010 14:09] Bugs System
Pushed into 5.1.44-ndb-7.0.14 (revid:jonas@mysql.com-20100312135944-t0z8s1da2orvl66x) (version source revid:jonas@mysql.com-20100312115609-woou0te4a6s4ae9y) (merge vers: 5.1.44-ndb-7.0.14) (pib:16)
[12 Mar 2010 14:25] Bugs System
Pushed into 5.1.44-ndb-6.2.19 (revid:jonas@mysql.com-20100312134846-tuqhd9w3tv4xgl3d) (version source revid:jonas@mysql.com-20100312060623-mx6407w2vx76h3by) (merge vers: 5.1.44-ndb-6.2.19) (pib:16)
[12 Mar 2010 14:39] Bugs System
Pushed into 5.1.44-ndb-6.3.33 (revid:jonas@mysql.com-20100312135724-xcw8vw2lu3mijrhn) (version source revid:jonas@mysql.com-20100312103652-snkltsd197l7q2yg) (merge vers: 5.1.44-ndb-6.3.33) (pib:16)
[12 Mar 2010 16:14] Paul Dubois
Setting report to Need Merge pending push to Celosia.
[12 Mar 2010 16:27] Paul Dubois
Already fixed in earlier 5.1.x, 5.5.x.