Plesk is encouraging "god" users in MySQL, a horrible database practice
Plesk does not let one specify different levels of permissions to MySQL users! I am absolutely floored at the short sightedness of this! It totally violates the principle of least privilege for access permissions and perpetuates horrible development practice.
Has anyone else run into this with other control panels? The continued use of "god" users in web applications is a big problem as it leaves the database server incapable of mitigating some SQL injection attacks against web interfaces to databases.
What practices do you guys use? Are you using a single database user with full access or do you have multiple database privileges depending on what is needed? I think in general, three is a good idea: one for unauthenticated activity, one of authenticated activity, and finally one for administration.
Frank
Author of SQL Converter for Excel, which is an Excel add-in for converting data to MySQL.
JeevesBond posted this at 20:38 — 5th November 2006.
He has: 3,956 posts
Joined: Jun 2002
I certainly don't use Plesk to configure MySQL access! We use Plesk on this site (not through choice) and we do not like it at all. It's very restrictive and assumes far too much about what you're trying to do. I think what you've pointed out is a good example of that: because users are obviously too stupid to control permissions themselves!
Personally I just SSH into the server and type mysql -ublah -p then enter SQL manually. There are some good tools from MySQL for managing databases remotely (if you don't like/don't have access to SSH): http://dev.mysql.com/downloads/gui-tools/
a Padded Cell our articles site!
Greg K posted this at 14:19 — 6th November 2006.
He has: 2,145 posts
Joined: Nov 2003
For the pregam I wrote, I also have 3 users. one that is read only of general information, one that can read/write user databases once they are loged in, and one for only during signup/maintenance scipts (to create new databases for new users, to archive and delete databases from users that have been expired 6 months, etc). Then we also have full access one that is not used by the program, either used SSH in or using phpMyAdmin on the secure side of our server.
-Greg
FrankR posted this at 13:25 — 9th November 2006.
He has: 45 posts
Joined: Oct 2006
I think both of you are well ahead of the curve. You would not believe the things I SAW customers do while in the hosting business. I am talking about seriously amateurish implementations that just screamed "hack me."
Yesterday, I had the pleasure of sitting in on two talks on web application hacking by one of the authors of Hacking Exposed Web Applications. He demonstrated a bunch of scary stuff with blind SQL injection, cross site scripting, and good-old-fashion recon-and-exploit.
A few points about databases:
Frameworks help when used properly as they can be fixed much like an operating system can be patched to close a vulnerability.
By the way, be sure that you have no web accessible web logs or analyzed statistics. Information that is accessed the least is very valuable as they often point to administrative interfaces.
Frank
Author of SQL Converter for Excel, which is an Excel add-in for converting data to MySQL.
Want to join the discussion? Create an account or log in if you already have one. Joining is fast, free and painless! We’ll even whisk you back here when you’ve finished.