Security Issue with mySQL???

[exahost]

Hi,

I found this today and thought I should ask around to see if anyone else gets it. It came about when I wanted to connect to a DB remotely using a Windoze based GUI.

1. Go to the mySQL section in cPanel.
2. Add your client machines IP to the ACCESS HOSTS
3. Connect using a SQL client (eg MyCC)
4. View ALL DB's on that machine!

Now, granted you cannot access the DB's if you don't have priveleges to but I beleive in some &security by obscurity&. You can't mess with what you can't see (well most of the time anyway).

Is there a way to fix this? If anybody knows I would love to hear.

Cheers,

Pete

 

[mickalo]

In your my.cnf or my.ini(for windows), add this in the [mysqld] group:

skip-show-database

this will prevent the person from viewing any db's that they do not have
access too. I think this is what your looking for.

 

[exahost]

[quote:dbbd268c8c][i:dbbd268c8c]Originally posted by mickalo[/i:dbbd268c8c]

In your my.cnf or my.ini(for windows), add this in the [mysqld] group:

skip-show-database

this will prevent the person from viewing any db's that they do not have
access too. I think this is what your looking for.

[/quote:dbbd268c8c]

mickalo,

Thanks for the help. I tried that and it hides all databases. It still allows me to connect, but i cannot see even the database to which I have priveleges.

 

[moronhead]

Hmmm, that seems quite a gaping hole. I have a couple of other windows guis for MySQL that I work with and none has that security hole. Mycc is published by MySQL itself and it seems odd that they couldn't realize this problem.

Mickalo, your solution is a good one but when you put that in /etc/my.cnf or ~/.my.cnf it's blocking access from any windows gui including to the databases you have privileges assigned for. You can still access them from Cpanel though. There may be some other solution to this. I'll go and check.

 

[hst]

Did you set a root MySQL password

Go into WHM and set a root MySQL password. If it's not set, it does allow other to view all the databases.

 

[moronhead]

[quote:6d742dc854][i:6d742dc854]Originally posted by hst[/i:6d742dc854]

Go into WHM and set a root MySQL password. If it's not set, it does allow other to view all the databases.[/quote:6d742dc854]

mycc displays the dbs even if you have a root password set.

 

[bliz42]

limited knowledge

There is something to be said for the limited knowledge a &show databases& will give a user. I don't really see it as much of an issue. They cannot access the database, or anything about it, other than that database name.

If something is so mission critical that you dont' even wanting people knowing that the databases exist, it might need to be on a dedicated server or virtual dedicated server.

Just my two cents...

Kevin

 

[moronhead]

bliz42, what you said makes sense. The issue here is, mycc is the only gui that I know of that displays all the databases on the server. Whether this is by design or by accident, we don't know. But it ain't pretty!

 

[bliz42]

remote access to db

I dont' know. I've disabled remote access to the mysql ports through ipchains, so if the user wants a gui, phpmyadmin better do the job for him.

bliz42

 

[Site5-Matt]

[quote:6156c818cd][i:6156c818cd]Originally posted by moronhead[/i:6156c818cd]

bliz42, what you said makes sense. The issue here is, mycc is the only gui that I know of that displays all the databases on the server. Whether this is by design or by accident, we don't know. But it ain't pretty![/quote:6156c818cd]That's simply a result of the way that software was designed. It seems to assume that you will have access to all databases on the server and therefore shows them to you. Nevertheless, there is a fix...

If you put the following line in your /etc/my.cnf file, it will only show users databases that they have some kind of privlidges for:

safe-show-database

(note that it should be under the [mysqld] header)

After you do that, you will need to stop and start your mysqld server. You might want to run

mysqladmin variables | grep &safe_show&

Just to make sure that variable is set to &ON& and verify that it's working. Once this is in place, users will only be shown databases that they have some kind of access to (all the ones owned by them, in the case of a Cpanel server).

Of course, that doesn't stop someone from doing an ls of the /var/lib/mysql directory from the command line, but it is an additional layer of obscurity for those who value that kind of thing.

 

[moronhead]

Matt that has worked. That's another hole closed! The program is actually quite efficient. It even senses if you have the same password for more than 1 database and it opens them all up in one move!

 

[moronhead]

[quote:7dbbd0b4f0][i:7dbbd0b4f0]Originally posted by Site5-Matt[/i:7dbbd0b4f0]

.... but it is an additional layer of obscurity for those who value that kind of thing. [/quote:7dbbd0b4f0]

You got it.