Bug #7043 SHOW CREATE TABLE security hole
Submitted: 6 Dec 2004 16:43 Modified: 7 Dec 2004 19:55
Reporter: Gabor Kiss Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server Severity:S2 (Serious)
Version:4.1.7-log OS:Linux (Linux)
Assigned to:

[6 Dec 2004 16:43] Gabor Kiss
Description:
SHOW CREATE TABLE reveals table structure even if user has no permissions
to do anything with a table.

How to repeat:
mysql> describe tapes;
ERROR 1142 (42000): select command denied to user 'guest2'@'myhost.mydoma.in' for table 'tapes'

mysql> show create table `tapes` \G
*************************** 1. row ***************************
       Table: tapes
Create Table: CREATE TABLE `tapes` (
  `tape` smallint(6) NOT NULL default '0',
  `id` varchar(10) default NULL,
  `fleet` varchar(10) default '',
  `last_time` datetime default NULL,
  PRIMARY KEY  (`tape`),
  UNIQUE KEY `id` (`id`,`fleet`)
) ENGINE=MyISAM DEFAULT CHARSET=latin1
1 row in set (0.01 sec)

mysql>
[6 Dec 2004 17:53] Miguel Solorzano
Verified on latest BK source.
[7 Dec 2004 19:55] Jani Tolonen
Thank you for your bug report. This issue has been committed to our
source repository of that product and will be incorporated into the
next release.

If necessary, you can access the source repository and build the latest
available version, including the bugfix, yourself. More information 
about accessing the source trees is available at
    http://www.mysql.com/doc/en/Installing_source_tree.html