MySQL Security MySQL User Conference & Expo Tuesday, April 24 th , 2007
description
Transcript of MySQL Security MySQL User Conference & Expo Tuesday, April 24 th , 2007
![Page 1: MySQL Security MySQL User Conference & Expo Tuesday, April 24 th , 2007](https://reader035.fdocuments.in/reader035/viewer/2022070405/56813d2f550346895da6f3d7/html5/thumbnails/1.jpg)
MySQL SecurityMySQL User Conference & Expo
Tuesday, April 24th, 2007
Sheeri Kritzer, MySQL DBAhttp://[email protected]
![Page 2: MySQL Security MySQL User Conference & Expo Tuesday, April 24 th , 2007](https://reader035.fdocuments.in/reader035/viewer/2022070405/56813d2f550346895da6f3d7/html5/thumbnails/2.jpg)
Overview
➲ ACLs
➲ Test dbs & anonymous accounts
➲ OS files and permissions
![Page 3: MySQL Security MySQL User Conference & Expo Tuesday, April 24 th , 2007](https://reader035.fdocuments.in/reader035/viewer/2022070405/56813d2f550346895da6f3d7/html5/thumbnails/3.jpg)
Overview
➲ Application data flow
➲ SQL Injection
➲ XSS
![Page 4: MySQL Security MySQL User Conference & Expo Tuesday, April 24 th , 2007](https://reader035.fdocuments.in/reader035/viewer/2022070405/56813d2f550346895da6f3d7/html5/thumbnails/4.jpg)
ACLs - Who Has Access?
➲ SELECT user,host,password FROM mysql.user;
➲ SUPER
➲ Anonymous
![Page 5: MySQL Security MySQL User Conference & Expo Tuesday, April 24 th , 2007](https://reader035.fdocuments.in/reader035/viewer/2022070405/56813d2f550346895da6f3d7/html5/thumbnails/5.jpg)
ACLs – From where?
➲ %
➲ %.company.com
➲ 192.168.% or 10.0.%
![Page 6: MySQL Security MySQL User Conference & Expo Tuesday, April 24 th , 2007](https://reader035.fdocuments.in/reader035/viewer/2022070405/56813d2f550346895da6f3d7/html5/thumbnails/6.jpg)
ACLs – From where?
➲ localhost, --skip-networking
➲ firewall
➲ DOS
![Page 7: MySQL Security MySQL User Conference & Expo Tuesday, April 24 th , 2007](https://reader035.fdocuments.in/reader035/viewer/2022070405/56813d2f550346895da6f3d7/html5/thumbnails/7.jpg)
ACLs – To Do What?
➲ --local-infile=0
➲ --skip-symbolic-links
➲ GRANT MAX_QUERIES_PER_HOUR MAX_UPDATES_PER_HOUR MAX_CONNECTIONS_PER_HOUR
![Page 8: MySQL Security MySQL User Conference & Expo Tuesday, April 24 th , 2007](https://reader035.fdocuments.in/reader035/viewer/2022070405/56813d2f550346895da6f3d7/html5/thumbnails/8.jpg)
Server Options
➲ --bind-address
➲ --skip-name-resolve
➲ --skip-show-database
![Page 9: MySQL Security MySQL User Conference & Expo Tuesday, April 24 th , 2007](https://reader035.fdocuments.in/reader035/viewer/2022070405/56813d2f550346895da6f3d7/html5/thumbnails/9.jpg)
Changing ACLs
➲ How are ACL changes audited?
➲ When do ACL changes happen?
![Page 10: MySQL Security MySQL User Conference & Expo Tuesday, April 24 th , 2007](https://reader035.fdocuments.in/reader035/viewer/2022070405/56813d2f550346895da6f3d7/html5/thumbnails/10.jpg)
Audit Example - PHP
➲ Create a table for information:
CREATE TABLE `action` (`user` varchar(77) NOT NULL default '',`asuser` varchar(77) NOT NULL default '',`db` varchar(64) NOT NULL default '',`query` mediumtext NOT NULL) ENGINE=MyISAM DEFAULT CHARSET=utf8
COMMENT='77=16+1+60';
![Page 11: MySQL Security MySQL User Conference & Expo Tuesday, April 24 th , 2007](https://reader035.fdocuments.in/reader035/viewer/2022070405/56813d2f550346895da6f3d7/html5/thumbnails/11.jpg)
Audit Example - PHP
➲ Create the function:function my_mysql_query ($query, $dblink) {
$action="INSERT INTO action (user,asuser, db,query) VALUES (CURRENT_USER(), USER(), DATABASE(), $query)";
mysql_query($action, $dblink);
mysql_query($query, $dblink);}
![Page 12: MySQL Security MySQL User Conference & Expo Tuesday, April 24 th , 2007](https://reader035.fdocuments.in/reader035/viewer/2022070405/56813d2f550346895da6f3d7/html5/thumbnails/12.jpg)
Audit Example - PHP
➲ Use the function:$result = my_mysql_query($query,$dblink);
INSERT INTO action (user, asuser, db, query)VALUES (CURRENT_USER(), USER(), DATABASE(), 'select foo from bar');
![Page 13: MySQL Security MySQL User Conference & Expo Tuesday, April 24 th , 2007](https://reader035.fdocuments.in/reader035/viewer/2022070405/56813d2f550346895da6f3d7/html5/thumbnails/13.jpg)
Test Databases
➲ Why get rid of them?
➲ Copying tables
➲ Stuff with data
![Page 14: MySQL Security MySQL User Conference & Expo Tuesday, April 24 th , 2007](https://reader035.fdocuments.in/reader035/viewer/2022070405/56813d2f550346895da6f3d7/html5/thumbnails/14.jpg)
OS Files and Permissions
➲ mysql server user
➲ mysql server files & logs
➲ Passwords on commandline
➲ Office policies/runbook
![Page 15: MySQL Security MySQL User Conference & Expo Tuesday, April 24 th , 2007](https://reader035.fdocuments.in/reader035/viewer/2022070405/56813d2f550346895da6f3d7/html5/thumbnails/15.jpg)
OS Files and Permissions
➲ Backups
➲ /etc/my.cnf, my.ini, .my.cnf
➲ CLI, GUI tools
➲ Personal history files
![Page 16: MySQL Security MySQL User Conference & Expo Tuesday, April 24 th , 2007](https://reader035.fdocuments.in/reader035/viewer/2022070405/56813d2f550346895da6f3d7/html5/thumbnails/16.jpg)
How Does Your Data Flow?
➲ Where is user data encrypted?
➲ Where do errors go?
➲ Where does the traffic flow?
![Page 17: MySQL Security MySQL User Conference & Expo Tuesday, April 24 th , 2007](https://reader035.fdocuments.in/reader035/viewer/2022070405/56813d2f550346895da6f3d7/html5/thumbnails/17.jpg)
Administrative Applications
➲ Same data, different interface
➲ Reporting
➲ VPN
➲ “It's public” vs. “It's easily accessible”
![Page 18: MySQL Security MySQL User Conference & Expo Tuesday, April 24 th , 2007](https://reader035.fdocuments.in/reader035/viewer/2022070405/56813d2f550346895da6f3d7/html5/thumbnails/18.jpg)
Plaintext Passwords Are Bad!
➲ Storage of customer login
➲ Compromised DB
➲ Transmission of passwords/hashes
➲ Users may use elsewhere
![Page 19: MySQL Security MySQL User Conference & Expo Tuesday, April 24 th , 2007](https://reader035.fdocuments.in/reader035/viewer/2022070405/56813d2f550346895da6f3d7/html5/thumbnails/19.jpg)
Plaintext Passwords Are Bad!
➲ Where are you encrypting?
➲ Where are you checking?
![Page 20: MySQL Security MySQL User Conference & Expo Tuesday, April 24 th , 2007](https://reader035.fdocuments.in/reader035/viewer/2022070405/56813d2f550346895da6f3d7/html5/thumbnails/20.jpg)
Validate User Input
➲ ; \g \G ' “ UNION
➲ HTML encoding
➲ NULL / char(0)
➲ VARCHAR and ' '
![Page 21: MySQL Security MySQL User Conference & Expo Tuesday, April 24 th , 2007](https://reader035.fdocuments.in/reader035/viewer/2022070405/56813d2f550346895da6f3d7/html5/thumbnails/21.jpg)
Validate User Input
➲ Save yourself time
➲ Buffer overflows
➲ CHARSET
![Page 22: MySQL Security MySQL User Conference & Expo Tuesday, April 24 th , 2007](https://reader035.fdocuments.in/reader035/viewer/2022070405/56813d2f550346895da6f3d7/html5/thumbnails/22.jpg)
Trusting GET or POST
➲ Only from certain pages
➲ Even with valid session ids, cookies
➲ register_globals=off in PHP
Test your site! acetunix....
![Page 23: MySQL Security MySQL User Conference & Expo Tuesday, April 24 th , 2007](https://reader035.fdocuments.in/reader035/viewer/2022070405/56813d2f550346895da6f3d7/html5/thumbnails/23.jpg)
Use Prepared Statements
➲ MySQL PREPARE stmt1 FROM 'SELECT uname FROM
UserAuth WHERE uname=? and pass=?'; SET @a = "alef"; SET @b = md5("alef"); EXECUTE stmt1 USING @a, @b;
![Page 24: MySQL Security MySQL User Conference & Expo Tuesday, April 24 th , 2007](https://reader035.fdocuments.in/reader035/viewer/2022070405/56813d2f550346895da6f3d7/html5/thumbnails/24.jpg)
Use Prepared Statements
➲ MySQL PREPARE stmt1 FROM 'SELECT uname FROM
UserAuth WHERE uname=? and pass=?'; SET @a = "alef"; SET @b = md5("alef"); EXECUTE stmt1 USING @a, @b;
SET @a = "alef"; SET @b = "alef' or 'x'='x"; EXECUTE stmt1 USING @a, @b; DEALLOCATE PREPARE stmt1;
![Page 25: MySQL Security MySQL User Conference & Expo Tuesday, April 24 th , 2007](https://reader035.fdocuments.in/reader035/viewer/2022070405/56813d2f550346895da6f3d7/html5/thumbnails/25.jpg)
Use Prepared Statements
➲ Prepared statement speed
➲ Stored procedures
![Page 26: MySQL Security MySQL User Conference & Expo Tuesday, April 24 th , 2007](https://reader035.fdocuments.in/reader035/viewer/2022070405/56813d2f550346895da6f3d7/html5/thumbnails/26.jpg)
Prepared Statements - Code
➲ Perl $query = $sql->prepare("SELECT uname FROM UserAuth WHERE uname = ? AND pass = ?"); $query->execute($uname, $pass);
➲ PHP $stmt = $mysqli->prepare("SELECT uname FROM UserAuth WHERE uname = ? AND pass = ?"); $stmt->bind_param($uname, $pass); $stmt->execute();
![Page 27: MySQL Security MySQL User Conference & Expo Tuesday, April 24 th , 2007](https://reader035.fdocuments.in/reader035/viewer/2022070405/56813d2f550346895da6f3d7/html5/thumbnails/27.jpg)
Prepared Statements - Code
➲ Java PreparedStatement pstmt =
con.prepareStatement("SELECT uname FROM UserAuth WHERE uname = ? AND pass = ?"); pstmt.setString(uname, pass); ResultSet rset = pstmt.executeQuery();
![Page 28: MySQL Security MySQL User Conference & Expo Tuesday, April 24 th , 2007](https://reader035.fdocuments.in/reader035/viewer/2022070405/56813d2f550346895da6f3d7/html5/thumbnails/28.jpg)
Prepared Statements - Code
➲ .NET/C# using(SqlCommand cmd = new SqlCommand("SELECT
uname FROM UserAuth WHERE uname = @uname AND pass = @upass”,con)) {
cmd.Parameters.AddWithValue("@userName", userName); cmd.Parameters.AddWithValue("@pass", pass); using( SqlDataReader rdr = cmd.ExecuteReader() ){ ...} }
![Page 29: MySQL Security MySQL User Conference & Expo Tuesday, April 24 th , 2007](https://reader035.fdocuments.in/reader035/viewer/2022070405/56813d2f550346895da6f3d7/html5/thumbnails/29.jpg)
Encryption
➲ SSL is per-client
➲ Unencrypted MySQL data streams
shell> tcpdump -l -i eth0 -w -src or dst port 3306 | strings
![Page 30: MySQL Security MySQL User Conference & Expo Tuesday, April 24 th , 2007](https://reader035.fdocuments.in/reader035/viewer/2022070405/56813d2f550346895da6f3d7/html5/thumbnails/30.jpg)
Feedback?
➲ Other ideas....