CVE-1999-1188

Step 1: User Account Creation: An administrator adds a new user to the MySQL database, including a username and password.

Step 2: Log File Generation: The mysqld process logs information about the user creation, including the password (or a hash) to a log file.

Step 3: Permission Flaw: The mysqld process creates the log file with world-readable permissions (e.g., chmod 644).

Step 4: Local User Access: A local attacker gains access to the system, either through existing credentials or another vulnerability.

Step 5: Log File Reading: The attacker reads the world-readable log file.

Step 6: Password Extraction: The attacker extracts the user's password (or cracks the hash) from the log file.

Step 7: Database Compromise: The attacker uses the extracted credentials to log into the MySQL database and gain unauthorized access.

The vulnerability stems from a fundamental flaw in the configuration of the MySQL server. Specifically, the mysqld process, during its logging operations, fails to restrict access to the generated log files. The default file creation mode grants world-readable permissions (e.g., chmod 644), meaning any local user can read the contents of these log files. These logs contain sensitive information, including user passwords, which are stored in plain text or easily reversible formats. The root cause is a lack of secure file permission handling during log file creation, a common oversight in early software development. The absence of proper access controls allows for the unauthorized disclosure of sensitive credentials, leading to a significant security breach.