The Linux distillery
Bringing the world of Linux to you, David cuts through the tech and shows you how it works and how to use it, in terms that apply to any distro. RSS
Technology news and Jobs arrow The Linux distillery arrow The dark side of open source: Hacking MySQL
The dark side of open source: Hacking MySQL PDF E-mail
by David M Williams   
Sunday, 10 February 2008
Page 2 of 3
Vulnerability CVE-2006-2753 describes an SQL injection vulnerability in versions of MySQL 4.1.x before version 4.1.20 and versions 5.0.x before 5.0.22 – which certainly covers our target version 5.0.15.

SQL injection is particularly nasty; it allows an application user to enter input data which will be inserted directly into a database SQL query. If, for instance, a program prompts for a username and password and you know it is using an SQL query to look up the credentials you can try and enter a password such that you will be able to log in every time.

Imagine the query used is

SELECT * FROM Users WHERE Username = ‘<Username>’ AND Password = ‘<Password>’

where <Username> and <Password> are the values input by the user. If the Username entered is

admin’ #

then the query becomes

SELECT * FROM Users WHERE Username = ‘admin’ #’ AND Password=’<Password>’

Simply put, this means the database query will actually ignore the password because the # indicates everything following is purely a comment and is not a real part of the statement. So, the query just lets the user log in as user admin aithout requiring a valid password at all.

A recent episode of the brilliant xkcd comic strip illustrated SQL injection. I still laugh when I think of “Little Bobby Tables.”

So then, we know immediately an SQL injection is possible in MySQL version 5.0.15 (and others). It isn’t as simple as the example above; this vulnerability requires the arbitrary SQL commands be entered into special multibyte characters and this requires some expertise. Really, the underlying problem is that a function – mysql_real_escape – had a flaw and did not correctly parse multibyte character sets, and this can be exploited.

Although it requires some tech savvy to use, this vulnerability is pernicious because the cracker does not need any network access to the MySQL server save that provided by a front-end application which may well be an Internet available web site.

If SQL injection is possible there is no real limit to what an attacker can do. One possibility is not even anything actually to do with the database. MySQL offers a function LOAD_FILE which returns a string containing the contents of any file on the system. Thus

SELECT LOAD_FILE(‘/etc/passwd’);

will display the contents of the /etc/passwd file, revealing all user accounts on the system. Additionally, it’s possible to write files on the server using the SELECT ... INTO OUTFILE statement. So, via a MySQL exploit, a wiley cracker can even add a login to your system or modify any other file thus subverting the system further.

Looking at the list of MySQL security holes in the past we can see many which are troubling; versions 5.0.0-2 and 4.1.3 fixed a flaw where database authentication could be bypassed via a zero-length string. Another problem on Windows platforms saw MySQL user passwords being stored in plain text in a file called my.ini; if this file could be read then passwords were exposed.

How do you secure yourself? Please do read on.

CONTINUED







<< First page <   1 2 3 Next page > Last page - Post your comment >>
 
< Next story in category   Previous story in the category >
iTWire user statistics Visitors last 30 days
Suscribers		 904,266
13,751
#1 independent technology news advertise here
  •   *  
  • Search
  • AdvSeach
  • Login
  • Events
  • FreeStuff
Subscribe to our free e-newsletter

iTWire and you

Contact , Register , Links , About iTWire , Feedback , Post your jobs , Events , iTWire site map , Start Blogging , MyBlogLog page , Advertise with iTWire