Plesk is encouraging "god" users in MySQL, a horrible database practice

FrankR's picture

He has: 45 posts

Joined: Oct 2006

Plesk does not let one specify different levels of permissions to MySQL users! I am absolutely floored at the short sightedness of this! It totally violates the principle of least privilege for access permissions and perpetuates horrible development practice.

Has anyone else run into this with other control panels? The continued use of "god" users in web applications is a big problem as it leaves the database server incapable of mitigating some SQL injection attacks against web interfaces to databases.

What practices do you guys use? Are you using a single database user with full access or do you have multiple database privileges depending on what is needed? I think in general, three is a good idea: one for unauthenticated activity, one of authenticated activity, and finally one for administration.

Frank

Author of SQL Converter for Excel, which is an Excel add-in for converting data to MySQL.

JeevesBond's picture

He has: 3,956 posts

Joined: Jun 2002

I certainly don't use Plesk to configure MySQL access! We use Plesk on this site (not through choice) and we do not like it at all. It's very restrictive and assumes far too much about what you're trying to do. I think what you've pointed out is a good example of that: because users are obviously too stupid to control permissions themselves!

Personally I just SSH into the server and type mysql -ublah -p then enter SQL manually. There are some good tools from MySQL for managing databases remotely (if you don't like/don't have access to SSH): http://dev.mysql.com/downloads/gui-tools/

a Padded Cell our articles site!

Greg K's picture

He has: 2,145 posts

Joined: Nov 2003

For the pregam I wrote, I also have 3 users. one that is read only of general information, one that can read/write user databases once they are loged in, and one for only during signup/maintenance scipts (to create new databases for new users, to archive and delete databases from users that have been expired 6 months, etc). Then we also have full access one that is not used by the program, either used SSH in or using phpMyAdmin on the secure side of our server.

-Greg

FrankR's picture

He has: 45 posts

Joined: Oct 2006

I think both of you are well ahead of the curve. You would not believe the things I SAW customers do while in the hosting business. I am talking about seriously amateurish implementations that just screamed "hack me."

Yesterday, I had the pleasure of sitting in on two talks on web application hacking by one of the authors of Hacking Exposed Web Applications. He demonstrated a bunch of scary stuff with blind SQL injection, cross site scripting, and good-old-fashion recon-and-exploit.

A few points about databases:

  1. Most web applications are exploitable
  2. The entire database can be extracted through a single injection spot even when error reporting is turned off (look up Blind SQL Injection)
  3. It does not matter which database server or programming environment you use, they are all vulnerable.
  4. Always pay attention to what you put in your URLS. That is where attackers first look for weaknesses.

Frameworks help when used properly as they can be fixed much like an operating system can be patched to close a vulnerability.

By the way, be sure that you have no web accessible web logs or analyzed statistics. Information that is accessed the least is very valuable as they often point to administrative interfaces.

Frank

Author of SQL Converter for Excel, which is an Excel add-in for converting data to MySQL.

Want to join the discussion? Create an account or log in if you already have one. Joining is fast, free and painless! We’ll even whisk you back here when you’ve finished.