SQL Access Problem

From: jaywhy (jaywhy2@home.com)
Date: 10/20/01 

Date: Sat, 20 Oct 2001 16:20:43 -0400
Subject: SQL Access Problem
From: jaywhy <jaywhy2@home.com>
To: <focus-linux@securityfocus.com>
Message-ID: <B7F754DA.38EB%jaywhy2@home.com>

Alright, this is something that has been bugging me for a few days.

Say you have software such as a shopping cart program. Lets say the
shopping cart is called Mifa and it saves it
configuration file in

/usr/local/mifa/config/SQL-config

Which has these permissions.

chmod 700 /usr/local/mifa/config/SQL-config
chmod nobody:nobody /usr/local/mifa/config/SQL-config

And it contain stuff like

$sqlhostname ='localhost';
$sqluser ='sql';
$sqlpass ='1234';

Now you have many customers on that same server, who you intern host their
websites. Now if you have user named Matt with the documentroot

/home/matt/html

Matt can execute cgi, so lets also say matt is a hacker. Matt won't be able
to access the SQL-config file directly, because only nobody or root can
access the file. So matt can't

cat /usr/local/mifa/config/SQL-config

But he knows apache which runs as nobody most be able to access the file.
Mifa needs that file for itself to create the database connection for Mifa.
Matt creates a script called hacksql.cgi.

#!/usr/bin/perl
#hacksql.cgi

$file = "/usr/local/mifa/config/SQL-config";
print_file_contents($file);

Now if Matt put that script in his documentroot. Matt could just goto

http://webhost.com/~matt/hacksql.cgi

User nobody would intern run and print out the configuration file. Now Matt
could simply enter the database and if it's a shopping cart program it
probably holds customers credit information.

Viola!

To get around this in apache you would include the module suexec. Suexec
allows you to only execute cgi files in your documentroot. Suexec isn't a
good solution it very hard to administrate correctly, and even apache's
website states this.

"it has been the decision of the Apache Group to NOT make suEXEC part of the
default installation of Apache. To this end, suEXEC configuration requires
of the administrator careful attention to details. After due consideration
has been given to the various settings for suEXEC, the administrator may
install suEXEC through normal installation methods"

I'm looking for a better solution hopefully in perl or elsewhere. 

-- 
Jason Yates - jaywhy2@home.com
Network Administrator - RHCE

"Thoughtcrime does not entail death: thoughtcrime IS death."

Relevant Pages

  • RE: I cant select text using word 2007.
    ... is assuming that your administrator profile for Word hasn't been corrupted. ... "Francis T." ... "Matt" wrote: ... use the scroll bar and select the different options tabs in the options menu. ...
    (microsoft.public.word.application.errors)
  • Re: Allowing a Domain User Admin Rights to a Couple of Domain Servers
    ... But that was just my point Matt. ... admin powers on the DCs. ... making the account a member of Adminsitrators does limit it ... >>>> administrator to the rest of the network. ...
    (microsoft.public.windows.server.security)
  • Re: Add/remove hardware problem with Administrator account
    ... Hi Matt. ... security settings back to default and if that does not help possibly a repair ... > contact your site administrator, or log off and log on ... > administrator privileges and that has not worked. ...
    (microsoft.public.win2000.security)
  • RE: desktop
    ... > safe mode to login into administrator, the only user with rights to ... built-in Administrator account, which you can only access in Safe Mode. ... in Home if you have an account named "Matt" and "Matt" has ...
    (microsoft.public.windowsxp.general)