[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] Solved (?): mysql_connect: Access denied

* Thomas Roth wrote on Thu, Oct 23, 2003 at 16:38 +0200:
> I think I fixed my problem with mysql.

Well, as this is a security list, let's discuss a little :)

> 1) I found that the PHP-script was actually read: supplying
> some special characters instead of the said parameters to
> mysql_connect() resulted in a parse error at that line of the
> script. 

How could you manipulate your script to use special characters in
mysql_connect? By changing the sources? Of course you have to
make sure that this isn't possible by passing malformed data on
the external interfaces. I think there are conditions where
variables can be taken from the CGI environment somewhat
automatically. I think that is a big pitfall as you might find
yourself in using not-sanitized data from untrusted source

> 2) However, sensible values seemed never to be  used for the
> connection attempt. (PASSWORD: NO in the error message)

You cannot process sensible values with PHP, except if you have a
dedicated (logical) server for each user - at least when using
mod_php instead of CGI mode. The reason is the mod_ stuff -
performant but insecure: every script runs in the same
environment as the same user. PHP may try to put some security
from top-level, but this cannot work well because of the

> 3)The trick was to switch off the   sql.safe_mode   in php.ini.
>     (And that is not connected to the setting of php safe_mode )

Yep, another drawback of mod_php is the global configuration :)
Again, if you have one script (-system), then it's no problem of
course. Why did you need to set sql.safe_mode off? What does this
mean exactly? I would expect that you want sql.safe_mode plus a
possibility to connect (however, this seems to be *really*
secure :-)).

Thank you for your mail. It is great when people not only ask
questions but also share the solution when they found it.



Dieses Schreiben wurde maschinell erstellt,
es trägt daher weder Unterschrift noch Siegel.

Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here