[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [suse-security] Solved (?): mysql_connect: Access denied



* Thomas Roth wrote on Thu, Oct 23, 2003 at 16:38 +0200:
> I think I fixed my problem with mysql.

Well, as this is a security list, let's discuss a little :)

> 1) I found that the PHP-script was actually read: supplying
> some special characters instead of the said parameters to
> mysql_connect() resulted in a parse error at that line of the
> script. 

How could you manipulate your script to use special characters in
mysql_connect? By changing the sources? Of course you have to
make sure that this isn't possible by passing malformed data on
the external interfaces. I think there are conditions where
variables can be taken from the CGI environment somewhat
automatically. I think that is a big pitfall as you might find
yourself in using not-sanitized data from untrusted source
(browser).

> 2) However, sensible values seemed never to be  used for the
> connection attempt. (PASSWORD: NO in the error message)

You cannot process sensible values with PHP, except if you have a
dedicated (logical) server for each user - at least when using
mod_php instead of CGI mode. The reason is the mod_ stuff -
performant but insecure: every script runs in the same
environment as the same user. PHP may try to put some security
from top-level, but this cannot work well because of the
complexity.

> 3)The trick was to switch off the   sql.safe_mode   in php.ini.
>     (And that is not connected to the setting of php safe_mode )

Yep, another drawback of mod_php is the global configuration :)
Again, if you have one script (-system), then it's no problem of
course. Why did you need to set sql.safe_mode off? What does this
mean exactly? I would expect that you want sql.safe_mode plus a
possibility to connect (however, this seems to be *really*
secure :-)).

Thank you for your mail. It is great when people not only ask
questions but also share the solution when they found it.

oki,

Steffen

-- 
Dieses Schreiben wurde maschinell erstellt,
es trägt daher weder Unterschrift noch Siegel.

-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here