Difference between revisions of "Reviewing MySQL Security"

From OWASP
Jump to: navigation, search
Line 60: Line 60:
 
  or Create_priv = 'Y' or Drop_priv    = 'Y'
 
  or Create_priv = 'Y' or Drop_priv    = 'Y'
 
  or Index_priv = 'Y' or Alter_priv = 'Y';
 
  or Index_priv = 'Y' or Alter_priv = 'Y';
 +
 +
===Default MySQL accounts===
 +
The default account in MySQl is "root"/"root@localhost" with a blank password. We can check if the root account exists by:
 +
 +
SELECT User, Host
 +
FROM user
 +
WHERE User = 'root';
 +
 +
===Remote Access===
 +
MySQL by default listens on port 3306. If the app server is on localhost also we can disable this port by adding
 +
'''skip-networking''' to the [mysqld] in the my.cnf file.

Revision as of 09:34, 24 October 2007

Contents

Introduction

As part of the code review you may need to step outside the code review box to assess the security of a database such as MySQL. The following covers areas which could be looked at:


Privileges

Grant_priv: Allows users to grant privileges to other users. This shoudl be appropriately restricted to the DBA and Data (Table) owners.

Select * from user 
where Grant_priv = 'Y'; 

Select * from db 
where Grant_priv = 'Y';

Select * from host 
where Grant_priv = 'Y';

Select * from tables_priv
where Table_priv = 'Grant';

Alter_priv:Determine who has access to make changes to the database structure (alter privilege) at a global, database and table.

Select * from user 
where Alter_priv = 'Y';

Select * from db 
where Alter _priv = 'Y';

Select * from host
where Alter_priv = 'Y';

Select * from tables_priv
where Table_priv = 'Alter';

User privileges

Here we can check which users have access to perform potentially malicious actions on the database. "Least privilege" is the key point here:


Select * from user where 
Select_priv  = 'Y' or Insert_priv  = 'Y'
or Update_priv = 'Y' or Delete_priv  = 'Y'
or Create_priv = 'Y' or Drop_priv    = 'Y'
or Reload_priv = 'Y' or Shutdown_priv = 'Y'
or Process_priv = 'Y' or File_priv    = 'Y'
or Grant_priv   = 'Y' or References_priv = ‘Y'
or Index_priv = 'Y' or Alter_priv = 'Y';
Select * from host 
where Select_priv  = 'Y' or Insert_priv  = 'Y'
or Create_priv = 'Y' or Drop_priv    = 'Y'
or Index_priv = 'Y' or Alter_priv = 'Y'; 
or Grant_priv   = 'Y' or References_priv = ‘Y'
or Update_priv = 'Y' or Delete_priv  = 'Y'
Select * from db 
where Select_priv  = 'Y' or Insert_priv  = 'Y'
or Grant_priv   = 'Y' or References_priv = ‘Y'
or Update_priv = 'Y' or Delete_priv  = 'Y'
or Create_priv = 'Y' or Drop_priv    = 'Y'
or Index_priv = 'Y' or Alter_priv = 'Y';

Default MySQL accounts

The default account in MySQl is "root"/"root@localhost" with a blank password. We can check if the root account exists by:

SELECT User, Host 
FROM user
WHERE User = 'root';

Remote Access

MySQL by default listens on port 3306. If the app server is on localhost also we can disable this port by adding skip-networking to the [mysqld] in the my.cnf file.