Reviewing MySQL Security

From OWASP
Revision as of 21:48, 26 August 2008 by Rahimjina (talk | contribs) (Review)

Jump to: navigation, search
OWASP Code Review Guide Table of Contents

Introduction

As part of the code review you may need to step outside the code review box to assess the security of a database such as MySQL. The following covers areas which could be looked at:


Privileges

Grant_priv: Allows users to grant privileges to other users. This should be appropriately restricted to the DBA and Data (Table) owners.

Select * from user 
where Grant_priv = 'Y'; 

Select * from db 
where Grant_priv = 'Y';

Select * from host 
where Grant_priv = 'Y';

Select * from tables_priv
where Table_priv = 'Grant';

Alter_priv:Determine who has access to make changes to the database structure (alter privilege) at a global, database and table.

Select * from user 
where Alter_priv = 'Y';

Select * from db 
where Alter _priv = 'Y';

Select * from host
where Alter_priv = 'Y';

Select * from tables_priv
where Table_priv = 'Alter';

mysqld configuration file

Check for the following:

a)skip-grant-tables
b)safe-show-database
c)safe-user-create

a)This option causes the server not to use the privilege system at all. All users have full access to all tables b)When the SHOW DATABASES command is executed it returns only those databases for which the user has some kind of privilege. Default since MySQL v4.0.2. c)With this enabled a user can't create new users with the GRANT command as long as the user does not have the INSERT privilege for the mysql.user table.

User privileges

Here we can check which users have access to perform potentially malicious actions on the database. "Least privilege" is the key point here:


Select * from user where 
Select_priv  = 'Y' or Insert_priv  = 'Y'
or Update_priv = 'Y' or Delete_priv  = 'Y'
or Create_priv = 'Y' or Drop_priv    = 'Y'
or Reload_priv = 'Y' or Shutdown_priv = 'Y'
or Process_priv = 'Y' or File_priv    = 'Y'
or Grant_priv   = 'Y' or References_priv = ‘Y'
or Index_priv = 'Y' or Alter_priv = 'Y';
Select * from host 
where Select_priv  = 'Y' or Insert_priv  = 'Y'
or Create_priv = 'Y' or Drop_priv    = 'Y'
or Index_priv = 'Y' or Alter_priv = 'Y'; 
or Grant_priv   = 'Y' or References_priv = ‘Y'
or Update_priv = 'Y' or Delete_priv  = 'Y'
Select * from db 
where Select_priv  = 'Y' or Insert_priv  = 'Y'
or Grant_priv   = 'Y' or References_priv = ‘Y'
or Update_priv = 'Y' or Delete_priv  = 'Y'
or Create_priv = 'Y' or Drop_priv    = 'Y'
or Index_priv = 'Y' or Alter_priv = 'Y';

Default MySQL accounts

The default account in MySQl is "root"/"root@localhost" with a blank password. We can check if the root account exists by:

SELECT User, Host 
FROM user
WHERE User = 'root';

Remote Access

MySQL by default listens on port 3306. If the app server is on localhost also we can disable this port by adding skip-networking to the [mysqld] in the my.cnf file.