On 12/04/2017 10:57, vinny wrote:
On 2017-04-12 09:09, Lifepillar wrote:
So, I am here to ask if you have
interesting/(in)famous stories to share on database security/privacy
"gone wrong" or "done right"(tm), possibly with technical details
One case that I remember from an ancient version of the book "hacking
exposed"
was about a MySQL server that was running under the root user. A badly
written
application allowed some SQL injection that let a hacker issue a SELECT
INTO OUTFILE
query that "selected" a bash script into the .login file of the root user,
and the next time the root user logged in, the script would create a new
superuser account
for the hacker.
After tweaking MySQL to be really insecure by unsetting
secure_file_prev, using grant file, etc..., I am indeed able to write
anywhere where the user running MySQL is able to. This, combined with
a trivial SQL injection vulnerability in a popular web application,
makes (I think) an interesting and easy to explain example of how one
might take over a system or an account.
Correct me if I am wrong, in PostgreSQL something similar can be
achieved using lo_export(), although you must connect as a superuser to
do that (while in MySQL you may grant file system access to any user).
I remember this particular example mainly because of the way that people
I told it to reacted;
some were of the opinion that the application was at fault for allowing
injection,
some thought the DBA was to blame for running as root,
but the vast majority did not know that MySQL could write files, let
alone overwrite system files.
Good point.
Thanks!
Life.
--
Sent via pgsql-general mailing list (pgsql-general@xxxxxxxxxxxxxx)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgsql-general
