Bug #50276 | Security flaw in INFORMATION_SCHEMA.TABLES | ||
---|---|---|---|
Submitted: | 12 Jan 2010 14:51 | Modified: | 12 Mar 2010 16:27 |
Reporter: | Tushar Mahale | Email Updates: | |
Status: | Closed | Impact on me: | |
Category: | MySQL Server: Information schema | Severity: | S1 (Critical) |
Version: | 5.1.35, 5.5.99 | OS: | Linux |
Assigned to: | Georgi Kodinov | CPU Architecture: | Any |
Tags: | regression |
[12 Jan 2010 14:51]
Tushar Mahale
[12 Jan 2010 20:54]
Sveta Smirnova
Thank you for taking the time to write to us, but this is not a bug. Please double-check the documentation available at http://dev.mysql.com/doc/ and the instructions on how to report a bug at http://bugs.mysql.com/how-to-report.php Please read at http://dev.mysql.com/doc/refman/5.1/en/default-privileges.html about special privileges for database test.
[13 Jan 2010 6:54]
Tushar Mahale
How come it is not a bug? The bug can very well be reproduced on any other database. Please use any other DB than "test", the bug will be reproduced.
[13 Jan 2010 7:06]
Tushar Mahale
mysql> create database my_db; Query OK, 1 row affected (0.00 sec) mysql> use my_db; Database changed mysql> create table t1 (id int); Query OK, 0 rows affected (0.01 sec) mysql> select user(); +----------------+ | user() | +----------------+ | root@localhost | +----------------+ 1 row in set (0.00 sec) mysql> create user 'dummy'@'localhost'; Query OK, 0 rows affected (0.00 sec) --- login as dummy --- mysql> use information_schema Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Database changed mysql> select * from TABLES where TABLE_NAME='t1'; +---------------+--------------+------------+------------+--------+---------+------------+------------+----------------+-------------+------------------+--------------+-----------+----------------+---------------------+---------------------+------------+-------------------+----------+----------------+---------------+ | TABLE_CATALOG | TABLE_SCHEMA | TABLE_NAME | TABLE_TYPE | ENGINE | VERSION | ROW_FORMAT | TABLE_ROWS | AVG_ROW_LENGTH | DATA_LENGTH | MAX_DATA_LENGTH | INDEX_LENGTH | DATA_FREE | AUTO_INCREMENT | CREATE_TIME | UPDATE_TIME | CHECK_TIME | TABLE_COLLATION | CHECKSUM | CREATE_OPTIONS | TABLE_COMMENT | +---------------+--------------+------------+------------+--------+---------+------------+------------+----------------+-------------+------------------+--------------+-----------+----------------+---------------------+---------------------+------------+-------------------+----------+----------------+---------------+ | NULL | my_db | t1 | BASE TABLE | MyISAM | 10 | Fixed | 0 | 0 | 0 | 1970324836974591 | 1024 | 0 | NULL | 2010-01-12 22:52:47 | 2010-01-12 22:52:47 | NULL | latin1_swedish_ci | NULL | | | +---------------+--------------+------------+------------+--------+---------+------------+------------+----------------+-------------+------------------+--------------+-----------+----------------+---------------------+---------------------+------------+-------------------+----------+----------------+---------------+ 1 row in set (0.00 sec) mysql> select user(); +-----------------+ | user() | +-----------------+ | dummy@localhost | +-----------------+ 1 row in set (0.00 sec)
[13 Jan 2010 7:14]
Sveta Smirnova
Thank you for the feedback. Verified as described. Version 5.0 is not affected. Test case for MTR: create table t1 (id int); create database db1; use db1; create table t1 (id int); create user 'dummy'@'localhost'; connect (addcondummy, localhost, dummy,,); connection addcondummy; use information_schema; select * from TABLES where TABLE_NAME='t1'; select user(); show grants;
[21 Jan 2010 15:14]
Bugs System
A patch for this bug has been committed. After review, it may be pushed to the relevant source trees for release in the next version. You can access the patch from: http://lists.mysql.com/commits/97737 3330 Georgi Kodinov 2010-01-21 Bug #50276: Security flaw in INFORMATION_SCHEMA.TABLES check_access() returning false for a database does not guarantee that the access is granted to it. This wrong condition in filling the INFORMATION_SCHEMA tables causes extra tables to be returned to the user even if he has no rights to see them. Fixed by correcting the condition.
[2 Feb 2010 17:07]
Bugs System
A patch for this bug has been committed. After review, it may be pushed to the relevant source trees for release in the next version. You can access the patch from: http://lists.mysql.com/commits/98981 3351 Georgi Kodinov 2010-01-21 Bug #50276: Security flaw in INFORMATION_SCHEMA.TABLES check_access() returning false for a database does not guarantee that the access is granted to it. This wrong condition in filling the INFORMATION_SCHEMA tables causes extra tables to be returned to the user even if he has no rights to see them. Fixed by correcting the condition.
[4 Feb 2010 10:20]
Bugs System
Pushed into 5.1.44 (revid:joro@sun.com-20100204101444-2j32mhqroo0iiio6) (version source revid:joro@sun.com-20100121151410-lc5d91r4pszil23j) (merge vers: 5.1.43) (pib:16)
[5 Feb 2010 11:50]
Bugs System
Pushed into mysql-next-mr (revid:alik@sun.com-20100204063540-9czpdmpixi3iw2yb) (version source revid:alik@sun.com-20100203202658-iycf0y6ozq9r2g2y) (pib:16)
[5 Feb 2010 11:56]
Bugs System
Pushed into 6.0.14-alpha (revid:alik@sun.com-20100205113942-oqovjy0eoqbarn7i) (version source revid:alik@sun.com-20100204064210-ljwanqvrjs83s1gq) (merge vers: 6.0.14-alpha) (pib:16)
[5 Feb 2010 12:01]
Bugs System
Pushed into 5.5.2-m2 (revid:alik@sun.com-20100203172258-1n5dsotny40yufxw) (version source revid:alik@sun.com-20100203172258-1n5dsotny40yufxw) (merge vers: 5.5.2-m2) (pib:16)
[10 Feb 2010 18:33]
Paul DuBois
Noted in 5.1.44, 5.5.2, 6.0.14 changelogs. A user could see tables in INFORMATION_SCHEMA.TABLES without appropriate privileges for them. Setting report to Need Merge pending push to Celosia.
[12 Mar 2010 14:09]
Bugs System
Pushed into 5.1.44-ndb-7.0.14 (revid:jonas@mysql.com-20100312135944-t0z8s1da2orvl66x) (version source revid:jonas@mysql.com-20100312115609-woou0te4a6s4ae9y) (merge vers: 5.1.44-ndb-7.0.14) (pib:16)
[12 Mar 2010 14:25]
Bugs System
Pushed into 5.1.44-ndb-6.2.19 (revid:jonas@mysql.com-20100312134846-tuqhd9w3tv4xgl3d) (version source revid:jonas@mysql.com-20100312060623-mx6407w2vx76h3by) (merge vers: 5.1.44-ndb-6.2.19) (pib:16)
[12 Mar 2010 14:39]
Bugs System
Pushed into 5.1.44-ndb-6.3.33 (revid:jonas@mysql.com-20100312135724-xcw8vw2lu3mijrhn) (version source revid:jonas@mysql.com-20100312103652-snkltsd197l7q2yg) (merge vers: 5.1.44-ndb-6.3.33) (pib:16)
[12 Mar 2010 16:14]
Paul DuBois
Setting report to Need Merge pending push to Celosia.
[12 Mar 2010 16:27]
Paul DuBois
Already fixed in earlier 5.1.x, 5.5.x.