Independent Digital

Security Issues with LOAD DATA LOCAL

The LOAD DATA statement can load a file located on the server host, or a file located on the client host when the LOCAL keyword is specified.

There are two security issues when using the LOCAL version of LOAD DATA:

• The MySQL server initiates the transfer of the file from the client host to the server host. It is therefore possible for the server to access any file on the client host to which the client user has read access.

• In a Web environment, a user could use LOAD DATA LOCAL to read any files that the Web server process has read access to.

These problems have been address in the later versions of MySQL (versions 3.23.49 and 4.0.2):

• All MySQL clients and libraries in binary distributions are compiled, by default, with the –enable-local-infile option, to be compatible with MySQL 3.23.48 and before.

• If you build MySQL from source, you must invoke configure with the –enable-local-infile option, or else LOAD DATA LOCAL cannot be used by any client unless it is written explicitly to invoke mysql options(?MYSQL OPT LOCAL INFILE, 0),

• Disable all LOAD DATA LOCAL commands from the server side by starting mysqld with the –local-infile=0 option.

• With the mysql command-line client, LOAD DATA LOCAL can be enabled by specifying the –local-infile[=1] option and disabled with the –local-infile=0 option. For mysqlimport, the –local or -L option enables local data file loading.

• If you use LOAD DATA LOCAL in programs that read the [client] group from option files, you can add the local-infile=1 option to that group. But use the loose- prefix to keep this from causing problems for programs that do not understand local-infile. If LOAD DATA LOCAL INFILE is disabled then a client that issues such a statement receives an error message.

Want to be notified when new posts are published?

If you have a MySQL database that is open to the internet then you need to read the following security guidelines so that you will be in a better position to protect your data.All security measures should apply to the entire server and not just the MySQL server in order to protect it from any and all types of attacks, including:

? Eavesdropping

? Altering

? Playback

? Denial of service.

MySQL uses security based on Access Control Lists (ACLs) for all connections, queries, and other operations. MySQL also supports SSL-encrypted connections between MySQL clients and servers.

When using MySQL:

? Don?t give anyone (except MySQL root accounts) access to the user table in the mysql database!

? Familiarize yourself with the MySQL access privilege system (GRANT and REVOKE)

o Don?t grant more privileges than necessary.

o Don?t grant privileges to all hosts.

Check the following:

? Try mysql -u root. If you are able to connect to the server without being asked for a password, then anyone can connect to your MySQL database!

? Use SHOW GRANTS to check which accounts have access to what. Use the REVOKE statement to remove those privileges that are not necessary.

? Don?t store any plain-text passwords in your database. Instead, use a hashing function such as, MD5()or SHA1() and store the hash value.

? Don?t choose passwords from dictionaries. Read up on how to choose a secure password.

? Do use a firewall. Firewalls are able to keep out about 50% of all types of exploits. Put MySQL behind the firewall.

o Check:

Try to scan your ports from the Internet using a tool such as nmap. MySQL?s default port should not be accessible from untrusted hosts. Also try the following command from some remote machine, where server_host is the hostname or IP number of the host on which your MySQL server runs:

shell> telnet server_host 3306

If you get a connection and some garbage characters, the port is open, and should be closed on your firewall or router. If telnet hangs or the connection is refused then the port is, correctly, blocked.

? Do not trust any data entered by users of your applications. They can enter special or escaped character sequences in Web forms, URLs, etc, which can then access your database.

Protect both string data values as well numeric data. Use single quotes around the numeric constants:

SELECT * FROM table WHERE ID='234'

If the user enters extra information, it all becomes part of the string, In a numeric context, MySQL converts this string into a number and strips any trailing non-numeric characters from it.

? Also protect publicly available information against denial of service attacks. Otherwise, your server becomes unresponsive to legitimate users.

Check:

o Use single and double quote marks (?'? and ?"?) in all of your Web forms.

o Modify dynamic URLs by adding %22 (?"?), %23 (?#?), and %27 (?'?) to them.

o Modify data types in dynamic URLs from numeric to character types using the above characters.

o Do not pass unchecked values to MySQL. Test enter characters, spaces, and special symbols rather than numbers in numeric fields. Your application should remove them before passing them to MySQL or else generate an error.

o Check the size of data before passing it to MySQL.

o Use a different username (and not your administrative username) for your application to connect to the database.

o Do not give your applications any access privileges they do not need.

o Use application programmes such as Php, Pearl, etc to escape special characters in data values. This prevents users from entering values that cause the application to generate statements that have a different effect than you intend.

? Do not transmit plain (unencrypted) data over the Internet. Rather use an encrypted protocol such as SSL or SSH..

? Use the tcpdump and strings utilities to check whether MySQL data streams are unencrypted by issuing a command like the following (works under Linux and probably with some modification under other systems):

shell> tcpdump -l -i eth0 -w - src or dst port 3306 | strings

Be aware though that the lack of plain text does not always mean that the information is encrypted. Consult a security expert if you need high security.

Want to be notified when new posts are published?

You want to install Apache, MySQL and PhP but are put off by the hassle of setting them all up. Don’t worry, here’s a simple way of doing it. Just download a file, run it to install, follow the instructions and everything is done for you. No settings to change, no nothing. Couldn’t be simpler.

WampServer is a Windows web development environment. It allows you to create web applications with Apache, PHP and the MySQL database. It also comes with PHPMyAdmin and SQLiteManager to easily manage your databases.

WampServer installs automatically (installer), and its usage is very intuitive. You will be able to tune your server without even touching the setting files.

WampServer is the only packaged solution that will allow you to reproduce your production server. Once WampServer is installed, you have the possibility to add as many Apache, MySQL and PHP releases as you want.

You can download it here. Her’s the WampServer homepage.

Here’s a quick and easy step-by-step tutorial of how to install it

If you think wordpress is for you then plan your installation:

• Check and verify that your host can host your WordPress site ? All the information your host needs to successfully host your WordPress blog.
• Check that your host has the correct versions of PHP and MySQL – Check the PHP and MySQL requirements here.
• Text Editor Software ? Some useful information on text editors.
• An FTP Client Software ? Great stuff to help you with FTP client software which you will need to upload your WordPress files to your host.