Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Is there a security risk in exposing MySQL tables names in javascript?

I have an ajax method that esentially works like this

function getRow(tableName, idName, idValue, callback)

The obvious benefit of this is that I have one function that can retrieve data from any table. However, this just feels wrong from a security perspective, is it a security risk to do so? The corresponding PHP files that actually read/manipulate the database are secured through a prior authentication process, so theoretically, the visibility of table names in a vacuum shouldn't be a risk (not to mention that the database only accepts localhost connections), but I wonder if there isn't a better/prettier way to accomplish this.

Edit: Just to clarify the authentication process, user/role security prevents access to all tables except those explicitly allowed for the user.

like image 768
Derg Avatar asked Apr 06 '11 00:04

Derg


4 Answers

If you're sure that you have no SQL injection vulnerabilities, and that you never will, it's fine.

If you do have a SQL injection vulnerability, it will make the attacker's job somewhat easier.

It goes without saying (I hope) that the server-side script must use a whitelist of tables and columns that can be exposed via this method.

like image 93
SLaks Avatar answered Nov 15 '22 15:11

SLaks


Tables names alone aren't that bad, however, the API you seem to be making may not be the best idea...

Think carefully about if there are some tables that people shouldn't be able to query, because from the looks of it, I could query any table in your database from the client side. For example:

getRow('users', 'id', '7', function(data){console.log(data)})

What if the users table returns their password? even if it is hashed, thats not good. Or their email? What if I want to harvest all of the users emails? Pretty easy script I could write to do that.

like image 31
ctcherry Avatar answered Nov 15 '22 13:11

ctcherry


It is a risk because it provides information to attackers. It's the same as providing the software version of software that you are using. It is not a vulnerability per se, but it's a door to vulnerabilities.

like image 24
Spyros Avatar answered Nov 15 '22 13:11

Spyros


This is a really bad idea.

For instance lets say you are using this code:

$table_name=mysql_real_escape_string($_GET['table']);
$id_name=mysql_real_escape_string($_GET['idname']);
$id_value=mysql_real_escape_string($_GET['idvalue']);

mysql_query("select * from `$table_name` where `$id_name`='$id_value'");

This can be exploited a number of ways:

NOT SQL Injection

This query will return the root user in mysql.user, and this is

?table=mysql.user&idname=user&idvalue=root This request will create the query:

select * frommysql.userwhereuser='root'

SQL Injection:

This works because mysql_real_escpae_string does not escape back-ticks:``

?table=`table where 1 union select * from mysql.user/*&idname=junk&idvalue=junk
like image 41
rook Avatar answered Nov 15 '22 13:11

rook