tags:

views:

221

answers:

3
Q: 

Is it possbile to write files with MySQL via SQL injection?

Long story short, we found files promoting prescription drugs on our server that we didn't put there. The Windows server has very old applications and runs MySQL 5.1.11.

Beyond other security flaws, could SQL injection be used to write files to the server file system? I am certain that some of these old applications are vulnerable to SQL injection attacks. I would NOT think that this is possible, but I seem to remember reading somewhere that MySQL could access the "command line" and write files via it though I can not locate a source for that info. Then again, my mind could be playing tricks on me.

If this is possible, is there a setting that can disable it?

Also, I'm not looking for the answer that says get rid of the SQL injection vulnerability. While that obviously needs to be done; I'm looking for a quick short term fix that will prevent the rogue files from magically appearing again while the SQL injection vulnerabilities are being fixed. Fixing all the old applications is going to take lots of time.

Thanks.

+3  A: 

It's possible, especially with suitably careless configuration.

For example, there is SELECT ... INTO OUTFILE 'file_name'

But it's also more likely to be a different security problem. I'd seriously consider taking the software offline quickly, especially if the database contains any confidential or private information

Colin Pickard  2009-10-16 16:57:24
That defiantly qualifies. Thanks for the info.
Eddie  2009-10-16 17:21:14
+1  A: 

as Colin Pickard shows, yes.

but even if you can't update your application, i doubt it needs the rights it's currently running with. you need to check the user it logs in to mysql with and trip those permissions down to the minimum. specifically in this case, you should remove the FILE privilege if your app does not read/write files stored on the mysql server.

longneck  2009-10-16 17:22:46
Is this FILE privilege available in the MySQL administrator? Or do I have to go to the console to revoke it?
Eddie  2009-10-16 19:46:49
you can do this from mysql administrator, but you have to first go to the tools menu and pick options, and turn on "show global privileges" and "show schema object privileges".
longneck  2009-10-16 20:37:38
Thank you. Seems like the FILE privilege was NOT granted to the user. I assume this means that user was not able to execute a select command with "INTO OUTFILE".
Eddie  2009-10-16 21:14:09
Note: the FILE privilege was NOT granted under the Global privileges. I do not see a FILE privilege under the Schema or Schema Object privileges.
Eddie  2009-10-16 21:16:06
A: 

Setting the permissions of the application directory to read-only for the web account might work. This assumes that you're not already creating files in it like logfiles and such.

Loadmaster  2009-10-16 17:23:48

related questions

Remove Quotes and Commas from a String in MySQL
What's the best way of converting a mysql database to a sqlite one?
How do you manage databases in development, test, and production?
Multiple foreign keys?
Add 1 to a field (MySQL)
Issues using MS Access as a front-end to a MySQL database back-end?
Bigger than a char but smaller than a blob
How do I retrieve my MySQL username and password?
Long-time LAMP Developer moving to VB.NET
How do I Concatenate entire result sets in MySQL?
Full complete MySQL database replication? Ideas? What do people do?
SQL: Distribution of table in time
SQLite vs MySQL
How do I create a new Ruby on Rails application using MySQL instead of SQLite?
Multiple Updates in MySQL
MySQL/Apache Error in PHP MySQL query
What all do I need to escape when sending a (My)SQL query?
Auto Generate Database Diagram MySQL
Mechanisms for tracking DB schema changes
How big can a MySQL database get before performance starts to degrade.
Python and MySQL
SQL Server 2005 implementation of MySQL REPLACE INTO?
How to export data from SQL Server 2005 to MySQL
Throw Error In MySQL Trigger
Binary Data in MySQL