Re: Clear text password in process list when using MySQL GUI tools

["Steven M. Christey" <coley () linus mitre org>]

On Wed, 17 Nov 2010, Josh Bressers wrote:

> What are the thoughts of MITRE on this one? This affects all sorts of 
> stuff, and I don't upstream removing the command line option (which is 
> probably the only fix).

As already mentioned, this kind of thing has been covered in CVE before, 
and I don't see a reason to omit it.  Yes it can be a pain to fix, but in 
most informal security models, one unprivileged user on a local system 
should not be able to view any portion of sensitive information that is 
owned by another unprivileged user.  In the case of password/credential 
leaks, in some cases this effectively compromises a remote system, too. 
If an app *only* supports passing of sensitive information through 
command-line arguments, then IMO it's probably worthy of a CVE.

My understanding is that some OSes or modules don't support listing of 
process arguments, (or even processes of other users?), but I would guess 
that most cross-OS (or cross-distro) code has a good likelihood of running 
on an OS that supports process arguments.

By the way, this also theoretically applies to environment variables, but 
let's not go there.

Both problems pose a Pandora's box of questions regarding how to define 
'sensitive information' in a local context (e.g., presumably users on a 
local system have the "privileges" to know the home directories of all 
other users) but let's ot go there, either ;-)

CWE-214 (Process Environment Information Leak) includes some examples.

- Steve