MySQL security is critical to ensure data security. Destruction, falsification or simply unwanted publication are the most serious threat that wait in the dark the first faux-pas of any administrator. During this session, we'll review the common vulnerabilities, the intrusion techniques, MySQL security features, and configurations.

1. MySQL Security
Washington DC, USA
November 8th, 2007

2. Agenda
Why is security important?
Privileges management
Configuration directives
MySQL security on the Web
Next challenge for security

3. Who is speaking?
Damien Séguy
LAMP expert services at
NexenServices.com
'Sécurité PHP 5 et MySQL'
with Philippe Gamache
at Eyrolles
http://www.nexen.net/

4. Common fears
Root overtake
Data erasing
Denial of service
Data modification
Data publication
Plain shame....

5. Default privileges
Root account, no password
Always ADD A password
Renaming root to 'chef'?
Users and test bases
Users without password
Users without IP restrictions
Anonymous users

6. User table sanity checks
Anonymous users
SELECT count(*) FROM users
WHERE user='';
Avoid % in addresses
SELECT count(*) FROM users
WHERE host LIKE '%%%';
Alwas have a password
SELECT count(*) FROM users
WHERE password='';

7. The FILE privilege
Export data to file
Import data to file
Import data from the client

8. The GRANT privilege
Share your privileges
Privilege escalation
Complement by exchanging
rights with other users

9. Configuration directives
--skip-grant-tables
--old-password
--secure-auth
--skip-show-databases

10. Configuration directives (2)
--port=3306
--skip-networking
--bind-address
--skip-name-resolve
--skip-symbolic-links

11. Configuration directives (3)
--local-infile=0
--secure-file-priv
--chroot
--open-files-limit
--safe-user-create
--allow-suspicous-udf

12. Client configuration directives
--secure-auth
--safe-updates
also called :
--i-am-a-dummy
--select_limit=1000
--max_join_size

13. Resource consuming
In the User table
Max_connections
+-----------------------+------+
| Field | Null |
Max_user_connections +-----------------------+------+
| max_questions | NO |
Max_questions | max_updates | NO |
| max_connections | NO |
| max_user_connections | NO |
Max_updates +-----------------------+------+
Inactive by default
Valid for an hour

14. SQL injections
Dynamic build of the SQL query
$requete = quot;SELECT COUNT(*) FROM users
WHERE login='quot;.$_GET['login'].quot;'
AND motdepasse='quot;.$_GET['password'].quot;' quot;;
Mixing data and instructions
It is always possible to escape this quoting, and make the
query do other things

15. Injections patterns
WHERE clause removal
WHERE login = '' or 1 or ''
Subqueries
WHERE id=(SELECT BENCHMARK(md5(1),1000));
UNION
WHERE id=1 UNION SELECT * FROM table;
Multiple insertions
VALUES ('login'),('admin');

16. MySQL special chars
' and quot; : string delimiters
() : sub queries
% and _ : regex with LIKE
REGEXP
; g G : end of command
--, # et /* .... */ comment

17. Protecting against injections
Protecting special characters
with PHP : use mysqli_real_escape_string() AND delimiters
$sql = quot;SELECT * FROM table WHERE
id = 'quot;
.mysqli_real_escape_string($mid, $_GET['id']).
quot;'quot;;
The case of integers : force the type before building the query

18. Protections
Prepared queries
Prepare the command execution
Affect variables
Execute the command

19. /* Preparing command execution */
$query = quot;INSERT INTO cities (Name, Country, Region)
VALUES (?,?,?)quot;;
$stmt = $mysqli->prepare($query);
$val1 = 'Washington';
$val2 = 'USA';
$val3 = 'DC';
$stmt->bind_param(quot;sssquot;, $val1, $val2, $val3);
/* Commande execution */
$stmt->execute();
$val1 = 'Montréal';
$val2 = 'CAN';
$val3 = 'Québec';
/* Commande execution */
$stmt->execute();
/* Free resources */
$stmt->close();

20. Other protections
Stored procedures
$sql = quot;CALL my_proc('quot;.$_GET['id'].quot;');
MySQL variables
Easier to read and secure
$sql = quot;SET @id := 'quot;.$_GET['id'].quot;'quot;;
mysqli_query($mid, $sql);
$sql = quot;SELECT * FROM table WHERE id = @idquot;;
mysqli_query($mid, $sql);
Injections are still possibles!!, just limited

21. Hidden entrances
MySQL logs (binary, slow, general)
SHOW PROCESSLIST
SHOW CREATE TABLE
Data folder
Backup systems (media, fichiers)
Replication slaves
Clients (history, network comm...)

22. Be prepared
Delete unused data
Crypt data
Passwords,
writeable but not readable
Poison your data
Audit critical data
Back up

23. Database security standards?
Sarbanes-Oxley, SOX
Health Insurance Portability and
Accountability Act (HIPAA)
Payment Card Industry
Gramm-Leachy Bliley Act
SB 1386
BASEL II

24. Common vulnerabilities
1)Insufficient security tests
2)Mediocre configuration
3)No encryption of critical data
4)No update processus
5)Security is called when a disaster strikes
6)No monitoring
7)Insufficient control over third parties access

25. Norme PCI
1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other
security parameters
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
5. Use and regularly update anti-virus software
6. Develop and maintain secure systems and applications
7. Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
10.Track and monitor all access to network resources and cardholder data
11.Regularly test security systems and processes
12.Maintain a policy that addresses information security

26. http://www.nexen.net/
Thanks
conferences.php
damien.seguy@nexen.net