SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Database)  >   MySQL Vendors:   MySQL.com
MySQL MERGE Access Control Error May Let Users Access a Restricted Table
SecurityTracker Alert ID:  1016617
SecurityTracker URL:  http://securitytracker.com/id/1016617
CVE Reference:   CVE-2006-4031   (Links to External Site)
Updated:  Jun 8 2008
Original Entry Date:  Aug 1 2006
Impact:   Disclosure of user information, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 4.x prior to 4.1.21; 5.0 prior to 5.0.24
Description:   A vulnerability was reported in MySQL. A remote authenticated user can continue to access a table after their privileges have been revoked.

A remote authenticated user with access to a MyISAM table can create a MERGE table that accesses the original table. If the user's privileges for the original table are subsequently revoked, the user can still access the original table via the new table.

The original report is available at:

http://bugs.mysql.com/bug.php?id=15195

Peter Gulutzan reported this vulnerability.

Impact:   A remote authenticated user may be able to access a table after the user's privileges for that table have been revoked.
Solution:   The vendor has released fixed versions (4.1.21, 5.0.24).

The MySQL advisory is available at:

http://dev.mysql.com/doc/refman/4.1/en/news-4-1-21.html
http://dev.mysql.com/doc/refman/5.0/en/news-5-0-24.html

Vendor URL:  www.mysql.com/products/mysql/ (Links to External Site)
Cause:   Access control error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC