This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Reviewing MySQL Security"
| Line 60: | Line 60: | ||
or Create_priv = 'Y' or Drop_priv = 'Y' | or Create_priv = 'Y' or Drop_priv = 'Y' | ||
or Index_priv = 'Y' or Alter_priv = 'Y'; | or Index_priv = 'Y' or Alter_priv = 'Y'; | ||
| + | |||
| + | ===Default MySQL accounts=== | ||
| + | The default account in MySQl is "root"/"root@localhost" with a blank password. We can check if the root account exists by: | ||
| + | |||
| + | SELECT User, Host | ||
| + | FROM user | ||
| + | WHERE User = 'root'; | ||
| + | |||
| + | ===Remote Access=== | ||
| + | MySQL by default listens on port 3306. If the app server is on localhost also we can disable this port by adding | ||
| + | '''skip-networking''' to the [mysqld] in the my.cnf file. | ||
Revision as of 14:34, 24 October 2007
Introduction
As part of the code review you may need to step outside the code review box to assess the security of a database such as MySQL. The following covers areas which could be looked at:
Privileges
Grant_priv: Allows users to grant privileges to other users. This shoudl be appropriately restricted to the DBA and Data (Table) owners.
Select * from user where Grant_priv = 'Y'; Select * from db where Grant_priv = 'Y'; Select * from host where Grant_priv = 'Y'; Select * from tables_priv where Table_priv = 'Grant';
Alter_priv:Determine who has access to make changes to the database structure (alter privilege) at a global, database and table.
Select * from user where Alter_priv = 'Y'; Select * from db where Alter _priv = 'Y'; Select * from host where Alter_priv = 'Y'; Select * from tables_priv where Table_priv = 'Alter';
User privileges
Here we can check which users have access to perform potentially malicious actions on the database. "Least privilege" is the key point here:
Select * from user where Select_priv = 'Y' or Insert_priv = 'Y' or Update_priv = 'Y' or Delete_priv = 'Y' or Create_priv = 'Y' or Drop_priv = 'Y' or Reload_priv = 'Y' or Shutdown_priv = 'Y' or Process_priv = 'Y' or File_priv = 'Y' or Grant_priv = 'Y' or References_priv = ‘Y' or Index_priv = 'Y' or Alter_priv = 'Y';
Select * from host where Select_priv = 'Y' or Insert_priv = 'Y' or Create_priv = 'Y' or Drop_priv = 'Y' or Index_priv = 'Y' or Alter_priv = 'Y'; or Grant_priv = 'Y' or References_priv = ‘Y' or Update_priv = 'Y' or Delete_priv = 'Y'
Select * from db where Select_priv = 'Y' or Insert_priv = 'Y' or Grant_priv = 'Y' or References_priv = ‘Y' or Update_priv = 'Y' or Delete_priv = 'Y' or Create_priv = 'Y' or Drop_priv = 'Y' or Index_priv = 'Y' or Alter_priv = 'Y';
Default MySQL accounts
The default account in MySQl is "root"/"root@localhost" with a blank password. We can check if the root account exists by:
SELECT User, Host FROM user WHERE User = 'root';
Remote Access
MySQL by default listens on port 3306. If the app server is on localhost also we can disable this port by adding skip-networking to the [mysqld] in the my.cnf file.
