Mailing List Archive: Security Problem?

Security Problem?

T.Corell at t-online

May 25, 2003, 2:17 PM

Post #1 of 9 (273 views)

Hello,

what I tryed to get the oldest users was:

select * from user order by user_touched limit 10;

No problem, but a litle bit to much output. I modified:

select user_id, user_name from user order by user_touched limit 50;

and I got an error: 1143: SELECT command denied to user:
'wikisql@127.0.0.1' for column 'user_touched' in table 'user'

Is our pretty MySQL to stupit to know that * includes user_touched? I know
which permissions are set by users.sql, I'm only wondering.

--
Smurf

smurf@AdamAnt.mud.de
------------------------- Anthill inside! ---------------------------

Re: Security Problem? [ In reply to ]

May 25, 2003, 2:39 PM

Post #2 of 9 (273 views)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Je DimanÄ‰o 25 Majo 2003 14:17, Thomas Corell skribis:
> and I got an error: 1143: SELECT command denied to user:
> 'wikisql@127.0.0.1' for column 'user_touched' in table 'user'
>
> Is our pretty MySQL to stupit to know that * includes user_touched? I
> know which permissions are set by users.sql, I'm only wondering.

Sysop queries aren't allowed to touch user_password, user_newpassword,
or user_email. It looks like I didn't think to add user_touched to the
permissions when that column was added; it is debatable whether
allowing it would be a privacy issue (as it tracks the last time
someone logged in, logged out, saved their preferences, had a message
left on their talk page, or viewed their talk page, even if they have
made not edits to the wiki and thus don't expect to be publicly
tracked).

- -- brion vibber (brion @ pobox.com)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQE+0Tf8xVlOmwh1xjgRAjUKAJ0ZY/3N4afC9vAOj/3BgJVQ2ShXGACcCvbl
Emz3kja4wY1WDNNSKEhK95g=
=EIVm
-----END PGP SIGNATURE-----

Re: Security Problem? [ In reply to ]

T.Corell at t-online

May 25, 2003, 3:13 PM

Post #3 of 9 (275 views)

Brion Vibber wrote:
> Sysop queries aren't allowed to touch user_password, user_newpassword,
> or user_email. It looks like I didn't think to add user_touched to the
> permissions when that column was added; it is debatable whether
> allowing it would be a privacy issue (as it tracks the last time
> someone logged in, logged out, saved their preferences, had a message
> left on their talk page, or viewed their talk page, even if they have
> made not edits to the wiki and thus don't expect to be publicly
> tracked).

Well, I only tested german wikipedia, of course. But I see all this values,
which of course I could not edit. The other problem I remember: public
access to user.sql via the download area. If you do this, forget all that
restrictions.

I can not test if the permissions in maintenance/users.sql are applied to
the german wiki, but in that file they look right.

If sysops are allowed that privacy data, well in contrast to Jimbos Mail
about everything open for all, I've personally no problem with
restrictions, but thats something for long term wikipedians, with the
proper wikiquette in mind.

PS: I only come across on my experiments for new SpecialPages. One Idea was
to know about never used accounts. Coming along with the idea to delete
them by software, in order to prevent things like the problematic deletion
of one of our german members.
--
Smurf

smurf@AdamAnt.mud.de
------------------------- Anthill inside! ---------------------------

Re: Security Problem? [ In reply to ]

May 25, 2003, 3:36 PM

Post #4 of 9 (272 views)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Je DimanÄ‰o 25 Majo 2003 15:13, Thomas Corell skribis:
> Well, I only tested german wikipedia, of course. But I see all this
> values, which of course I could not edit.

Whoaaaaaaa, that's a horse of a different color.

That's a serious bug.

Okay: this correctly gives error:
SELECT user_password from user limit 5

but this shows the password and e-mail fields:
SELECT * from user limit 5

I'm disabling the queries until this is fixed.

> The other problem I
> remember: public access to user.sql via the download area. If you do
> this, forget all that restrictions.

??????

urkkkk..... those should really not have been there. I assume Lee
created them at some point when making backups, and forgot that they
were world-accessible download directories. I've deleted them.

- -- brion vibber (brion @ pobox.com)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQE+0UVdxVlOmwh1xjgRAvbyAJ9nzkVuRkJ5f6yGtT37FxqAEIVRLwCaA4/f
Ar2rncKtxIZ1uig7t8oIFYY=
=WS1V
-----END PGP SIGNATURE-----

Re: Security Problem? [ In reply to ]

May 25, 2003, 4:42 PM

Post #5 of 9 (270 views)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Je DimanÄ‰o 25 Majo 2003 15:36, Brion Vibber skribis:
> Okay: this correctly gives error:
> SELECT user_password from user limit 5
>
> but this shows the password and e-mail fields:
> SELECT * from user limit 5

Okay, this is a MySQL bug. It's apparently fixed in 4.0.13, here's the
changelog entry:
* Fixed a security problem with SELECT and wildcarded select list,
when user only had partial column SELECT privileges on the table.

I'll install the upgrade, then reenable sql queries if all is well.

- -- brion vibber (brion @ pobox.com)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQE+0VTSxVlOmwh1xjgRAvG9AJ9JL/z/wBRbdTKgSB4AcbMA8Tc2cgCgjx3s
9PquvX075QowuEPrZrVhJ6k=
=ogTu
-----END PGP SIGNATURE-----

Re: Security Problem? [ In reply to ]

May 25, 2003, 5:57 PM

Post #6 of 9 (271 views)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Je DimanÄ‰o 25 Majo 2003 16:42, Brion Vibber skribis:
> Okay, this is a MySQL bug. It's apparently fixed in 4.0.13, here's
> the changelog entry:
> * Fixed a security problem with SELECT and wildcarded select list,
> when user only had partial column SELECT privileges on the table.

4.0.13 is installed, it seems to have fixed the bug. SQL queries back
open for business.

- -- brion vibber (brion @ pobox.com)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQE+0WZ8xVlOmwh1xjgRAnggAJ9AxQVgrvEcjoMQ7GVQSpj3SZfW7gCfYyBM
+NVcCtA2mmPpLFsCi+SREkM=
=WyoC
-----END PGP SIGNATURE-----

Re: Security Problem? [ In reply to ]

T.Corell at t-online

May 25, 2003, 10:02 PM

Post #7 of 9 (270 views)

Brion Vibber wrote:

> 4.0.13 is installed, it seems to have fixed the bug. SQL queries back
> open for business.
>

Fine. One apache, one Mysql bug. Seems to be enought for a weekend. *grin
demonically*

Did I told that I like feature frezze? ;)

--
Smurf
Two for the records, one in mind.
smurf@AdamAnt.mud.de
------------------------- Anthill inside! ---------------------------

Re: Security Problem? [ In reply to ]

May 25, 2003, 10:02 PM

Post #8 of 9 (272 views)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Je DimanÄ‰o 25 Majo 2003 22:02, Thomas Corell skribis:
> Fine. One apache, one Mysql bug. Seems to be enought for a weekend.
> *grin demonically*

Please don't find any kernel bugs; they don't have a more recent stable
release of that yet. :D

> Did I told that I like feature frezze? ;)

If only we could declare a bug freeze. :)

- -- brion vibber (brion @ pobox.com)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQE+0Z/8xVlOmwh1xjgRApgfAKCU1tZcIZa6k8zLop1qCspJ1JHKdwCgl0LA
KDM3LWWePgPHDrD/9jHDoyw=
=uXPC
-----END PGP SIGNATURE-----

Re: Security Problem? [ In reply to ]

May 26, 2003, 1:31 AM

Post #9 of 9 (276 views)

Brion Vibber wrote:
> Please don't find any kernel bugs; they don't have a more recent stable
> release of that yet. :D

No interest in Linux-Kernel from my side. I will check the application only.

>>Did I told that I like feature frezze? ;)
> If only we could declare a bug freeze. :)

Nothing easier than that: Declare all open bugs as features and there
you are.

Smurf
--
--- Anthill Inside! ---