MySQL Security Commentary

Interesting MySQL-related stuff [Chris Anley]

[16th November 2005] MySQL 5 Stored Procedures / SQL Injection

MySQL 5 is now out, which is great; loads of new features to fiddle with. One interesting new feature is the stored procedure mechanism, mainly because it has the same sql injection behaviour as Oracle - procedures execute with 'definer' rights by default, and can contain dynamically constructed statements. This can lead to dangerous security flaws. To take an absurdly contrived example, this procedure:

create procedure test.injection( s text )
begin
set @q = concat(" ", s);
PREPARE stmt from @q;
EXECUTE stmt;
end;

...if created by 'root', will run with 'root' privileges. This means that anyone who can execute it (say, 'low_priv', our low privleged account) can run arbitrary sql with root privileges, like this:

mysql> call test.injection('update mysql.user set file_priv=''Y'' where user=''low_priv''');

So the low_priv user can grant themselves root privileges. Obviously MySQL doesn't have any default procedures (yet), but this is something to watch for.