This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org
Difference between revisions of "Reviewing MySQL Security"
m (Review) |
|||
| Line 2: | Line 2: | ||
==Introduction== | ==Introduction== | ||
| − | As part of the code review you may need to step outside the code review box to assess the security of a database such as MySQL. | + | As part of the code review, you may need to step outside the code review box to assess the security of a database such as MySQL. The following covers areas which could be looked at: |
| − | The following covers areas which could be looked at: | ||
| − | |||
===Privileges=== | ===Privileges=== | ||
| − | '''Grant_priv''': Allows users to grant privileges to other users. This should be appropriately restricted to the DBA and Data (Table) owners. | + | '''Grant_priv''': Allows users to grant privileges to other users. This should be appropriately restricted to the DBA and Data (Table) owners. |
Select * from user | Select * from user | ||
| Line 21: | Line 19: | ||
where Table_priv = 'Grant'; | where Table_priv = 'Grant'; | ||
| − | '''Alter_priv''':Determine who has access to make changes to the database structure (alter privilege) at a global, database and table. | + | '''Alter_priv''': Determine who has access to make changes to the database structure (alter privilege) at a global, database, and table level. |
Select * from user | Select * from user | ||
| Line 35: | Line 33: | ||
where Table_priv = 'Alter'; | where Table_priv = 'Alter'; | ||
| − | ==== | + | ====MySQL Configuration File==== |
Check for the following: | Check for the following: | ||
| − | a)skip-grant-tables | + | a) skip-grant-tables |
| − | b)safe-show-database | + | b) safe-show-database |
| − | c)safe-user-create | + | c) safe-user-create |
| + | |||
| + | '''a)''' This option causes the server not to use the privilege system at all. All users have full access to all tables. | ||
| − | + | '''b)''' When the '''SHOW DATABASES''' command is executed, it returns only those databases for which the user has some kind of privilege. Default since MySQL v4.0.2. | |
| − | '''b)'''When the '''SHOW DATABASES''' command is executed it returns only those databases for which the user has some kind of privilege. Default since MySQL v4.0.2 | ||
| − | |||
| − | + | '''c)''' With this enabled a user can't create new users with the GRANT command as long as the user does not have the '''INSERT''' privilege for the '''mysql.user table'''. | |
| − | |||
| + | ====User Privileges==== | ||
| + | Here we can check which users have access to perform potentially malicious actions on the database. "Least privilege" is the key point here: | ||
Select * from user where | Select * from user where | ||
| Line 74: | Line 73: | ||
or Index_priv = 'Y' or Alter_priv = 'Y'; | or Index_priv = 'Y' or Alter_priv = 'Y'; | ||
| − | ===Default MySQL | + | ===Default MySQL Accounts=== |
| − | The default account in | + | The default account in MySQL is "root"/"root@localhost" with a blank password. We can check if the root account exists by: |
SELECT User, Host | SELECT User, Host | ||
| Line 82: | Line 81: | ||
===Remote Access=== | ===Remote Access=== | ||
| − | MySQL by default listens on port 3306. If the app server is on localhost also we can disable this port by adding | + | MySQL by default listens on port 3306. If the app server is on localhost also, we can disable this port by adding |
'''skip-networking''' to the [mysqld] in the my.cnf file. | '''skip-networking''' to the [mysqld] in the my.cnf file. | ||
[[Category:OWASP Code Review Project]] | [[Category:OWASP Code Review Project]] | ||
[[Category:MySQL security]] | [[Category:MySQL security]] | ||
Revision as of 20:39, 15 January 2009
OWASP Code Review Guide Table of ContentsIntroduction
As part of the code review, you may need to step outside the code review box to assess the security of a database such as MySQL. The following covers areas which could be looked at:
Privileges
Grant_priv: Allows users to grant privileges to other users. This should be appropriately restricted to the DBA and Data (Table) owners.
Select * from user where Grant_priv = 'Y'; Select * from db where Grant_priv = 'Y'; Select * from host where Grant_priv = 'Y'; Select * from tables_priv where Table_priv = 'Grant';
Alter_priv: Determine who has access to make changes to the database structure (alter privilege) at a global, database, and table level.
Select * from user where Alter_priv = 'Y'; Select * from db where Alter _priv = 'Y'; Select * from host where Alter_priv = 'Y'; Select * from tables_priv where Table_priv = 'Alter';
MySQL Configuration File
Check for the following:
a) skip-grant-tables b) safe-show-database c) safe-user-create
a) This option causes the server not to use the privilege system at all. All users have full access to all tables.
b) When the SHOW DATABASES command is executed, it returns only those databases for which the user has some kind of privilege. Default since MySQL v4.0.2.
c) With this enabled a user can't create new users with the GRANT command as long as the user does not have the INSERT privilege for the mysql.user table.
User Privileges
Here we can check which users have access to perform potentially malicious actions on the database. "Least privilege" is the key point here:
Select * from user where Select_priv = 'Y' or Insert_priv = 'Y' or Update_priv = 'Y' or Delete_priv = 'Y' or Create_priv = 'Y' or Drop_priv = 'Y' or Reload_priv = 'Y' or Shutdown_priv = 'Y' or Process_priv = 'Y' or File_priv = 'Y' or Grant_priv = 'Y' or References_priv = ‘Y' or Index_priv = 'Y' or Alter_priv = 'Y';
Select * from host where Select_priv = 'Y' or Insert_priv = 'Y' or Create_priv = 'Y' or Drop_priv = 'Y' or Index_priv = 'Y' or Alter_priv = 'Y'; or Grant_priv = 'Y' or References_priv = ‘Y' or Update_priv = 'Y' or Delete_priv = 'Y'
Select * from db where Select_priv = 'Y' or Insert_priv = 'Y' or Grant_priv = 'Y' or References_priv = ‘Y' or Update_priv = 'Y' or Delete_priv = 'Y' or Create_priv = 'Y' or Drop_priv = 'Y' or Index_priv = 'Y' or Alter_priv = 'Y';
Default MySQL Accounts
The default account in MySQL is "root"/"root@localhost" with a blank password. We can check if the root account exists by:
SELECT User, Host FROM user WHERE User = 'root';
Remote Access
MySQL by default listens on port 3306. If the app server is on localhost also, we can disable this port by adding skip-networking to the [mysqld] in the my.cnf file.
