FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

mysql -- GRANT access restriction problem

Affected packages
mysql-server <= 3.23.58_3
4.* <= mysql-server < 4.0.21

Details

VuXML ID 01c231cd-4393-11d9-8bb9-00065be4b5b6
Discovery 2004-03-29
Entry 2004-12-16
Modified 2005-03-15

When a user is granted access to a database with a name containing an underscore and the underscore is not escaped then that user might also be able to access other, similarly named, databases on the affected system.

The problem is that the underscore is seen as a wildcard by MySQL and therefore it is possible that an admin might accidently GRANT a user access to multiple databases.

References

Bugtraq ID 11435
CVE Name CVE-2004-0957
URL http://bugs.mysql.com/bug.php?id=3933
URL http://rhn.redhat.com/errata/RHSA-2004-611.html
URL http://www.openpkg.org/security/OpenPKG-SA-2004.045-mysql.html