Home » Vuln: MySQL MyISAM Table Privileges Secuity Bypass Vulnerability

Vuln: MySQL MyISAM Table Privileges Secuity Bypass Vulnerability

Submitted by robot_terror on Mon, 07/14/2008 - 12:54.

Vuln: MySQL MyISAM Table Privileges Secuity Bypass Vulnerability (source: SecurityFocus Vulnerabilities)

In all modern versions of MySQL (that is, beginning early in MySQL 4's development history) the use of the "CREATE TABLE ( ) DATA DIRECTORY ... INDEX DIRECTORY ..." command can be used to escalate privileges to access and change data created by other MySQL users. MySQL AB has changed MySQL 4 and MySQL 5 behavior to remedy this problem.

However, this is also a case to point out restricting direct RDBMS access to any untrusted system user or application and instead forcing all access to be made through the application layer. That is, of course, as long as one locks down the application layer's access to the RDBMS, too! Besides controlling access for security purposes, managing access at the application layer improves chance of enforcing business rules with the database (without resorting to stored procedures and triggers).

-- Robot Terror

»

Reply

  • You can use Mediawiki syntax. It is possible that not all formatting options are supported at the moment.
    Links to other pages: [[Page Title]] or [[path/to/page|Title]].
    External links: http://example.com or [http://example.com some link title].
    Interwiki links: [[site:Page Title]].
    You can use the following interwiki links: path, gdo, wp

More information about formatting options