WampServer
Apache, PHP, MySQL
on Windows
database security compromised
Posted by:
swarupsengupto
(117.194.6.---)
Date: September 17, 2013 05:52PM
I did the following this and found some thing very risky.
1.installed wamp2.2.
2.created password for user:root of mysql.
3.logged in with password and created a database.
4.it seemed my database is secured with a password.
5.uninstalled wamp2.2.
6.after removal of wamp, found the data folder intact.
7.re-started the computer and installed wamp2.2 again using the same folder in which i installed it first.
Now that the mysql in wamp has no password, i found it horrifying that the security of the old databases was completely compromised, they are now completely accessible without any password.
So, how do I secure my data?
1.installed wamp2.2.
2.created password for user:root of mysql.
3.logged in with password and created a database.
4.it seemed my database is secured with a password.
5.uninstalled wamp2.2.
6.after removal of wamp, found the data folder intact.
7.re-started the computer and installed wamp2.2 again using the same folder in which i installed it first.
Now that the mysql in wamp has no password, i found it horrifying that the security of the old databases was completely compromised, they are now completely accessible without any password.
So, how do I secure my data?
Re: database security compromised
Posted by:
RiggsFolly
(---.as13285.net)
Date: September 17, 2013 10:59PM
Add a password back onto the root userid.
Re: database security compromised
Posted by:
stevenmartin99
(Moderator)
Date: September 18, 2013 06:58PM
This has nothing to do with wampserver.
This a MySQL issue and it's not really an issue at all.
If you have physical access to a MySQL server you can easily replace the users table with a default users table to take control of it.
You will need to encrypt ur db to stop physical attacks
Steven Martin
stevenmartin99@gmail.com
stevenmartin99@hotmail.com
PampServer.com - [pampserver.com]
This a MySQL issue and it's not really an issue at all.
If you have physical access to a MySQL server you can easily replace the users table with a default users table to take control of it.
You will need to encrypt ur db to stop physical attacks
Steven Martin
stevenmartin99@gmail.com
stevenmartin99@hotmail.com
PampServer.com - [pampserver.com]
Re: database security compromised
Posted by:
swarupsengupto
(117.194.7.---)
Date: September 19, 2013 05:18AM
stevenmartin99:
Thank you for your fast reply.
What I actually meant was :
1. Anybody can uninstall the wamp2.2. and reinstall wamp2.2 again using the same folder in which i installed it first.
2. whoever does so, can now get access to my data as it is open without any password.
This was not the case with the prev version of WAMP and fortunately with WAMP2.4, where a password protected mysql db wont even open to give a scope to replace the "users" table.
So, now I am using WAMP for developement purpose where as installing the original MySql at my clients end.
You also recommended : "You will need to encrypt ur db to stop physical attacks".
exactly how do I do this encryption and how do I access an encryted db in my programs(VB6,php etc). Can you help me out?
Thanks Again.
Thank you for your fast reply.
What I actually meant was :
1. Anybody can uninstall the wamp2.2. and reinstall wamp2.2 again using the same folder in which i installed it first.
2. whoever does so, can now get access to my data as it is open without any password.
This was not the case with the prev version of WAMP and fortunately with WAMP2.4, where a password protected mysql db wont even open to give a scope to replace the "users" table.
So, now I am using WAMP for developement purpose where as installing the original MySql at my clients end.
You also recommended : "You will need to encrypt ur db to stop physical attacks".
exactly how do I do this encryption and how do I access an encryted db in my programs(VB6,php etc). Can you help me out?
Thanks Again.
Re: database security compromised
Posted by:
stevenmartin99
(Moderator)
Date: September 19, 2013 06:35AM
You don't need access to MySQL to replace tables
In the the data/MySQL folder there is 3 files
User.frm
User.myd
User.myi
If you just replace these 3 files with default files from a wamp install, you can gain access to the db with out even uninstalling.
The reason you see it all depends on the version of MySQL in the wamp bundle, if it's a different version then it won't overwrite these files , so won't unsecured it....
If you reinstall the same version over itself - it will.
But like I said it's not a wamp issue- anyone with access to the machine is able to get to the db files.
Most machine are not secure when physical access is available.
They is encryption functions in MySQL or 3rd party software to mange it- have a search in google
Steven Martin
stevenmartin99@gmail.com
stevenmartin99@hotmail.com
PampServer.com - [pampserver.com]
In the the data/MySQL folder there is 3 files
User.frm
User.myd
User.myi
If you just replace these 3 files with default files from a wamp install, you can gain access to the db with out even uninstalling.
The reason you see it all depends on the version of MySQL in the wamp bundle, if it's a different version then it won't overwrite these files , so won't unsecured it....
If you reinstall the same version over itself - it will.
But like I said it's not a wamp issue- anyone with access to the machine is able to get to the db files.
Most machine are not secure when physical access is available.
They is encryption functions in MySQL or 3rd party software to mange it- have a search in google
Steven Martin
stevenmartin99@gmail.com
stevenmartin99@hotmail.com
PampServer.com - [pampserver.com]
Re: database security compromised
Posted by:
swarupsengupto
(117.194.2.---)
Date: September 19, 2013 05:37PM
Thank You for your response.
Suppose I create a second user "user2" with some password.
Now, can I create a database, which will be accessible to user "user2" but not to user "root"?
Thank You.
Suppose I create a second user "user2" with some password.
Now, can I create a database, which will be accessible to user "user2" but not to user "root"?
Thank You.
Re: database security compromised
Posted by:
stevenmartin99
(Moderator)
Date: September 19, 2013 06:05PM
That's a good question.
The answer is no it's not possible.
Root is a global user and any user with global privileges will be able to access the db.
Because the permissions are not held in your db but in the MySQL.db
It may seem backwards but MySQL won't allow you access to a db unless you have permission - but like I said before that's only secure provided your accessing MySQL via SQL methods
Steven Martin
stevenmartin99@gmail.com
stevenmartin99@hotmail.com
PampServer.com - [pampserver.com]
Edited 1 time(s). Last edit at 09/19/2013 06:22PM by stevenmartin99.
The answer is no it's not possible.
Root is a global user and any user with global privileges will be able to access the db.
Because the permissions are not held in your db but in the MySQL.db
It may seem backwards but MySQL won't allow you access to a db unless you have permission - but like I said before that's only secure provided your accessing MySQL via SQL methods
Steven Martin
stevenmartin99@gmail.com
stevenmartin99@hotmail.com
PampServer.com - [pampserver.com]
Edited 1 time(s). Last edit at 09/19/2013 06:22PM by stevenmartin99.
Re: database security compromised
Posted by:
RiggsFolly
(---.as13285.net)
Date: September 19, 2013 06:08PM
Yes.
In phpmyadmin
1. Create the database
2. Add a new user
leave all the global privilages Unticked
3. Click the Users tab to view users
4. Click the Edit Privilages link for that user
5. Look for the 'Database specific' section on the page that loads
6. Select your new database in the 'Add privileges on the following database' dropdown
You will be sent to another screen automatically to add privilages for that user on the selected database
specifically.
Of course root is still allowed to do anything to any database but your new user will only be allowed to access this one database, your new one.
In phpmyadmin
1. Create the database
2. Add a new user
leave all the global privilages Unticked
3. Click the Users tab to view users
4. Click the Edit Privilages link for that user
5. Look for the 'Database specific' section on the page that loads
6. Select your new database in the 'Add privileges on the following database' dropdown
You will be sent to another screen automatically to add privilages for that user on the selected database
specifically.
Of course root is still allowed to do anything to any database but your new user will only be allowed to access this one database, your new one.
Re: database security compromised
Posted by:
swarupsengupto
(74.125.191.---)
Date: September 19, 2013 08:49PM
Riggs, thanks for Your Suggestions. I will definitely try out your suggestions as soon as I get hold of my workstation.
Steve, a local retail store runs my retail software. this s/w manages all its purchase, sale and even the ACCOUNTS. If compromising the security of the installed MySql db is so easy, as you said, anybody can open the db and manniupulate the Accounts. So, how do I keep the db SECURED? Any Suggestions?
Thank You.
Steve, a local retail store runs my retail software. this s/w manages all its purchase, sale and even the ACCOUNTS. If compromising the security of the installed MySql db is so easy, as you said, anybody can open the db and manniupulate the Accounts. So, how do I keep the db SECURED? Any Suggestions?
Thank You.
Re: database security compromised
Posted by:
stevenmartin99
(Moderator)
Date: September 19, 2013 09:15PM
Riggs said that the new user will only have access to that database.
But the root user can be reset easily as I said to gain access
3 common solutions are
Encryption of the db
Use SQLite and SQLCipher together
Move MySQL to a secured location and then let them access it remotely
Steven Martin
stevenmartin99@gmail.com
stevenmartin99@hotmail.com
PampServer.com - [pampserver.com]
Edited 1 time(s). Last edit at 09/19/2013 09:17PM by stevenmartin99.
But the root user can be reset easily as I said to gain access
3 common solutions are
Encryption of the db
Use SQLite and SQLCipher together
Move MySQL to a secured location and then let them access it remotely
Steven Martin
stevenmartin99@gmail.com
stevenmartin99@hotmail.com
PampServer.com - [pampserver.com]
Edited 1 time(s). Last edit at 09/19/2013 09:17PM by stevenmartin99.
Sorry, only registered users may post in this forum.
