Difference between revisions of "Reviewing MySQL Security"

From OWASP
Jump to: navigation, search
(New page: ==Introduction== As part of the code review you may need to step outside the code review box to assess the security of a database such as MySQL. The following covers areas which could be ...)
 
Line 33: Line 33:
 
  Select * from tables_priv
 
  Select * from tables_priv
 
  where Table_priv = 'Alter';
 
  where Table_priv = 'Alter';
 +
 +
====User privileges====
 +
Here we can check which users have access to perform potentially malicious actions on the database. "Least privilege" is the key point here:
 +
 +
 +
Select * from user where
 +
Select_priv  = 'Y' or Insert_priv  = 'Y'
 +
or Update_priv = 'Y' or Delete_priv  = 'Y'
 +
or Create_priv = 'Y' or Drop_priv    = 'Y'
 +
or Reload_priv = 'Y' or Shutdown_priv = 'Y'
 +
or Process_priv = 'Y' or File_priv    = 'Y'
 +
or Grant_priv  = 'Y' or References_priv = ‘Y'
 +
or Index_priv = 'Y' or Alter_priv = 'Y';
 +
 +
Select * from host
 +
where Select_priv  = 'Y' or Insert_priv  = 'Y'
 +
or Create_priv = 'Y' or Drop_priv    = 'Y'
 +
or Index_priv = 'Y' or Alter_priv = 'Y';
 +
or Grant_priv  = 'Y' or References_priv = ‘Y'
 +
or Update_priv = 'Y' or Delete_priv  = 'Y'
 +
 +
Select * from db
 +
where Select_priv  = 'Y' or Insert_priv  = 'Y'
 +
or Grant_priv  = 'Y' or References_priv = ‘Y'
 +
or Update_priv = 'Y' or Delete_priv  = 'Y'
 +
or Create_priv = 'Y' or Drop_priv    = 'Y'
 +
or Index_priv = 'Y' or Alter_priv = 'Y';

Revision as of 09:24, 24 October 2007

Introduction

As part of the code review you may need to step outside the code review box to assess the security of a database such as MySQL. The following covers areas which could be looked at:


Privileges

Grant_priv: Allows users to grant privileges to other users. This shoudl be appropriately restricted to the DBA and Data (Table) owners.

Select * from user 
where Grant_priv = 'Y'; 

Select * from db 
where Grant_priv = 'Y';

Select * from host 
where Grant_priv = 'Y';

Select * from tables_priv
where Table_priv = 'Grant';

Alter_priv:Determine who has access to make changes to the database structure (alter privilege) at a global, database and table.

Select * from user 
where Alter_priv = 'Y';

Select * from db 
where Alter _priv = 'Y';

Select * from host
where Alter_priv = 'Y';

Select * from tables_priv
where Table_priv = 'Alter';

User privileges

Here we can check which users have access to perform potentially malicious actions on the database. "Least privilege" is the key point here:


Select * from user where 
Select_priv  = 'Y' or Insert_priv  = 'Y'
or Update_priv = 'Y' or Delete_priv  = 'Y'
or Create_priv = 'Y' or Drop_priv    = 'Y'
or Reload_priv = 'Y' or Shutdown_priv = 'Y'
or Process_priv = 'Y' or File_priv    = 'Y'
or Grant_priv   = 'Y' or References_priv = ‘Y'
or Index_priv = 'Y' or Alter_priv = 'Y';
Select * from host 
where Select_priv  = 'Y' or Insert_priv  = 'Y'
or Create_priv = 'Y' or Drop_priv    = 'Y'
or Index_priv = 'Y' or Alter_priv = 'Y'; 
or Grant_priv   = 'Y' or References_priv = ‘Y'
or Update_priv = 'Y' or Delete_priv  = 'Y'
Select * from db 
where Select_priv  = 'Y' or Insert_priv  = 'Y'
or Grant_priv   = 'Y' or References_priv = ‘Y'
or Update_priv = 'Y' or Delete_priv  = 'Y'
or Create_priv = 'Y' or Drop_priv    = 'Y'
or Index_priv = 'Y' or Alter_priv = 'Y';