Bug #676 | SHOW commands allow you to know if databases exist even without access to them | ||
---|---|---|---|
Submitted: | 18 Jun 2003 15:51 | Modified: | 3 Jul 2003 13:38 |
Reporter: | Harrison Fisk | Email Updates: | |
Status: | Closed | Impact on me: | |
Category: | MySQL Server | Severity: | S3 (Non-critical) |
Version: | 4.0.13 | OS: | MacOS (Mac OS X) |
Assigned to: | MySQL Verification Team | CPU Architecture: | Any |
[18 Jun 2003 15:51]
Harrison Fisk
[19 Jun 2003 5:10]
MySQL Verification Team
Have you tried: --safe-show-database option ??
[19 Jun 2003 5:24]
Harrison Fisk
This has nothing to do with SHOW DATABASES; which --safe-show-database affects. Also I am using 4.0, which that option has been depreciated I believe, since in the 4.0 series SHOW DATABASES; automatically only shows databases that you have privileges to access. I did try it just to verify, and the bug still exists. The real problem is as detailed below and previous examples show: SHOW TABLE STATUS FROM db like '%'; and SHOW TABLES FROM db; on a database that you don't have privileges to will give different error messages depending on if the database exists or not. This is an information leak as people can find out which databases exist or not, by trying to show information from them. Instead they should get a permission denied error no matter what. The idea is similar to how if you try to "USE db" on a database that you don't have privileges to (as a limitted privilege user), then you always get permission denied whether or not the database actually exists. This has the effect of hiding which databases really exist since you shouldn't know this.
[3 Jul 2003 13:38]
MySQL Verification Team
Thank you for your bug report. This issue has been fixed in the latest development tree for that product. You can find more information about accessing our development trees at http://www.mysql.com/doc/en/Installing_source_tree.html