Bug #676 SHOW commands allow you to know if databases exist even without access to them
Submitted: 18 Jun 2003 15:51 Modified: 3 Jul 2003 13:38
Reporter: Harrison Fisk Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server Severity:S3 (Non-critical)
Version:4.0.13 OS:Mac OS X (Mac OS X)
Assigned to: Sinisa Milivojevic CPU Architecture:Any

[18 Jun 2003 15:51] Harrison Fisk
Description:
Both the SHOW TABLES FROM db; and the SHOW TABLE STATUS FROM db; let you know if the database in question exists or not due to error given not being permission denied.

Get this if the database exists:
  mysql> show table status from mysql like '%';
  Empty set (0.00 sec)

Get this error if database doesn't exist:
  mysql> show table status from a like '%';
  ERROR 12: Can't read dir of './a/' (Errcode: 2)

Same behavior with SHOW TABLES FROM...;

You should get a permission denied with either of them, since you don't have access to either database.

How to repeat:
Login in a non-privilege user
shell> mysql -u wu -pfoo

-- Gives empty set
show table status from mysql like '%';

-- Gives error, letting you know it doens't exist
show table status from asdfafd like '%';

-- another empty set
show tables from mysql; 

-- error message yet again
show tables from asfwreasf;

Suggested fix:
Return permission denied if you try to SHOW from a database you don't have permission to.
[19 Jun 2003 5:10] Sinisa Milivojevic
Have you tried:

--safe-show-database

option ??
[19 Jun 2003 5:24] Harrison Fisk
This has nothing to do with SHOW DATABASES; which --safe-show-database affects.

Also I am using 4.0, which that option has been depreciated I believe, since in the 4.0 series SHOW DATABASES; automatically only shows databases that you have privileges to access.

I did try it just to verify, and the bug still exists.

The real problem is as detailed below and previous examples show:
SHOW TABLE STATUS FROM db like '%'; and SHOW TABLES FROM db; on a database that you don't have privileges to will give different error messages depending on if the database exists or not.  
This is an information leak as people can find out which databases exist or not, by trying to show information from them.

Instead they should get a permission denied error no matter what.

The idea is similar to how if you try to "USE db" on a database that you don't have privileges to (as a limitted privilege user), then you always get permission denied whether or not the database actually exists.  This has the effect of hiding which databases really exist since you shouldn't know this.
[3 Jul 2003 13:38] Sinisa Milivojevic
Thank you for your bug report. This issue has been fixed in the latest
development tree for that product. You can find more information about
accessing our development trees at 
    http://www.mysql.com/doc/en/Installing_source_tree.html