Re: MySQL 5.0 information leak?

[Johan De Meersman <jdm () operamail com>]

Burton Strauss wrote:

> Traditionally the schema for a database is NOT secure information.
> Applications download this information to build queries on the fly.
>
> The essential problem is relying on security by obscurity, "I have user
> accounts (nss) that have publicly available credentials but noone [sic]
> should be able to see how the database really is organized".
>  

I don't agree - basic security says that no user should have more access
than he strictly needs. A user that only uses a fixed set of queries
doesn't need to see how the database is laid out - if he can, an
attacker wouldn't need to guess the names of other fields that may
contain sensitive information.

Obviously those fields should be access-restricted as well, but you
shouldn't make things easier on any front.


-- 
You prefer the company of the opposite sex, but are well liked by your own.
-- 

Public GPG key at blackhole.pca.dfn.de

GCS/IT d- s:+ a- C(+++)$ UL++++$ P+++(++++)$ L++(+++)$ !E- W+(+++)$
N+(++) o K w$ !O !M V PS(++)@ PE-(++)@ Y+ PGP++(+++) t(+) 5 X R tv--
b++(++++) DI++(++++) D++ G e++>+++++ h(+) r y+**

Attachment: signature.asc
Description: OpenPGP digital signature