The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Security Issue with mySQL???

Discussion in 'Security' started by exahost, Jul 4, 2002.

  1. exahost

    exahost Member

    Joined:
    Jan 8, 2002
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    1
    Hi,

    I found this today and thought I should ask around to see if anyone else gets it. It came about when I wanted to connect to a DB remotely using a Windoze based GUI.

    1. Go to the mySQL section in cPanel.
    2. Add your client machines IP to the ACCESS HOSTS
    3. Connect using a SQL client (eg MyCC)
    4. View ALL DB's on that machine!

    Now, granted you cannot access the DB's if you don't have priveleges to but I beleive in some &security by obscurity&. You can't mess with what you can't see (well most of the time anyway).

    Is there a way to fix this? If anybody knows I would love to hear.

    Cheers,

    Pete
     
  2. mickalo

    mickalo Well-Known Member

    Joined:
    Apr 16, 2002
    Messages:
    765
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    N.W. Iowa
    In your my.cnf or my.ini(for windows), add this in the [mysqld] group:

    skip-show-database

    this will prevent the person from viewing any db's that they do not have
    access too. I think this is what your looking for.
     
  3. exahost

    exahost Member

    Joined:
    Jan 8, 2002
    Messages:
    17
    Likes Received:
    0
    Trophy Points:
    1
    [quote:dbbd268c8c][i:dbbd268c8c]Originally posted by mickalo[/i:dbbd268c8c]

    In your my.cnf or my.ini(for windows), add this in the [mysqld] group:

    skip-show-database

    this will prevent the person from viewing any db's that they do not have
    access too. I think this is what your looking for.

    [/quote:dbbd268c8c]

    mickalo,

    Thanks for the help. I tried that and it hides all databases. It still allows me to connect, but i cannot see even the database to which I have priveleges.
     
  4. moronhead

    moronhead Well-Known Member

    Joined:
    Aug 12, 2001
    Messages:
    706
    Likes Received:
    0
    Trophy Points:
    16
    Hmmm, that seems quite a gaping hole. I have a couple of other windows guis for MySQL that I work with and none has that security hole. Mycc is published by MySQL itself and it seems odd that they couldn't realize this problem.

    Mickalo, your solution is a good one but when you put that in /etc/my.cnf or ~/.my.cnf it's blocking access from any windows gui including to the databases you have privileges assigned for. You can still access them from Cpanel though. There may be some other solution to this. I'll go and check.
     
  5. hst

    hst Well-Known Member

    Joined:
    Feb 24, 2002
    Messages:
    111
    Likes Received:
    0
    Trophy Points:
    16
    Did you set a root MySQL password

    Go into WHM and set a root MySQL password. If it's not set, it does allow other to view all the databases.
     
  6. moronhead

    moronhead Well-Known Member

    Joined:
    Aug 12, 2001
    Messages:
    706
    Likes Received:
    0
    Trophy Points:
    16
    [quote:6d742dc854][i:6d742dc854]Originally posted by hst[/i:6d742dc854]

    Go into WHM and set a root MySQL password. If it's not set, it does allow other to view all the databases.[/quote:6d742dc854]

    mycc displays the dbs even if you have a root password set.
     
  7. bliz42

    bliz42 Member

    Joined:
    May 7, 2002
    Messages:
    21
    Likes Received:
    0
    Trophy Points:
    1
    limited knowledge

    There is something to be said for the limited knowledge a &show databases& will give a user. I don't really see it as much of an issue. They cannot access the database, or anything about it, other than that database name.

    If something is so mission critical that you dont' even wanting people knowing that the databases exist, it might need to be on a dedicated server or virtual dedicated server.

    Just my two cents...

    Kevin
     
  8. moronhead

    moronhead Well-Known Member

    Joined:
    Aug 12, 2001
    Messages:
    706
    Likes Received:
    0
    Trophy Points:
    16
    bliz42, what you said makes sense. The issue here is, mycc is the only gui that I know of that displays all the databases on the server. Whether this is by design or by accident, we don't know. But it ain't pretty!
     
  9. bliz42

    bliz42 Member

    Joined:
    May 7, 2002
    Messages:
    21
    Likes Received:
    0
    Trophy Points:
    1
    remote access to db

    I dont' know. I've disabled remote access to the mysql ports through ipchains, so if the user wants a gui, phpmyadmin better do the job for him.

    bliz42
     
  10. Site5-Matt

    Site5-Matt Well-Known Member
    PartnerNOC

    Joined:
    Aug 10, 2001
    Messages:
    81
    Likes Received:
    0
    Trophy Points:
    6
    [quote:6156c818cd][i:6156c818cd]Originally posted by moronhead[/i:6156c818cd]

    bliz42, what you said makes sense. The issue here is, mycc is the only gui that I know of that displays all the databases on the server. Whether this is by design or by accident, we don't know. But it ain't pretty![/quote:6156c818cd]That's simply a result of the way that software was designed. It seems to assume that you will have access to all databases on the server and therefore shows them to you. Nevertheless, there is a fix...

    If you put the following line in your /etc/my.cnf file, it will only show users databases that they have some kind of privlidges for:

    safe-show-database

    (note that it should be under the [mysqld] header)

    After you do that, you will need to stop and start your mysqld server. You might want to run

    mysqladmin variables | grep &safe_show&

    Just to make sure that variable is set to &ON& and verify that it's working. Once this is in place, users will only be shown databases that they have some kind of access to (all the ones owned by them, in the case of a Cpanel server).

    Of course, that doesn't stop someone from doing an ls of the /var/lib/mysql directory from the command line, but it is an additional layer of obscurity for those who value that kind of thing. :)
     
  11. moronhead

    moronhead Well-Known Member

    Joined:
    Aug 12, 2001
    Messages:
    706
    Likes Received:
    0
    Trophy Points:
    16
    Matt that has worked. That's another hole closed! The program is actually quite efficient. It even senses if you have the same password for more than 1 database and it opens them all up in one move!
     
  12. moronhead

    moronhead Well-Known Member

    Joined:
    Aug 12, 2001
    Messages:
    706
    Likes Received:
    0
    Trophy Points:
    16
    [quote:7dbbd0b4f0][i:7dbbd0b4f0]Originally posted by Site5-Matt[/i:7dbbd0b4f0]

    .... but it is an additional layer of obscurity for those who value that kind of thing. :)[/quote:7dbbd0b4f0]

    You got it. :)
     
Loading...

Share This Page