Database security

  • This is one of those WordPress related questions, but if my conclusions are right, this question can be posed here.
    Not that I have direct reason to start thinking about the subject, but the WP Security Scan did make me wonder about how to secure the database. I have searched around the internet, read some things on hackers sites and forums, but I don’t find/understand enough to know what action to undertake.
    I have a cheap hosting provider with which I never had any problems. It is hard for a half-informed to find all the information that I want, in fact, I don’t even know for sure that I’m on a dedicated server and I don’t know what my provider does for security. Taking it that it will be something, I just want to make sure that I do everything that I can myself. “Hardening WordPress” itself is one thing, but there’s more to the subject.
    The first thing that makes my mind spin is: how can a database be insecure? How would a hacker know to find my database and crack my login? Would they go through my control panel or is there a way to access a database directly? Should one get it, it is easy to guess the names of the tables, since they are the same for almost any WP installation, so I suppose that with some starting information, it would be relatively easy to write some malicious code to do something in the database. With that approach, it could be a good suggestion to change the prefixes of the tables.
    Taking that I wouldn’t know a way to approach a database directly (but I’m no hacker) and I can’t find information on the possibility of that, there has to be another way to do that. This (of course) is where WP comes in the picture.
    Apparently it is possible to put code into pieces of WP that use the database, such as login forms (standard secured if I’m right), searchforms or forms made by plugins. My guess is that a command passes (or uses) the wp_config file to access the database, so how would it help to change the prefix? I also ran into some simple javascript strings to display cookie information (I guess/hope from a computer, not from a server) and there’s of course that Google search list, but I couldn’t find anything serious there.
    My temporary conclusion is that it is only through WP that a hacker can gain access to my database and that I don’t know many things to make that more difficult. I use Ask Apache, but that’s more for WP protection and perhaps it hides some usefull information for a hacker, but I wouldn’t know about that.

    So I guess my questions are:
    1- How would a hacker try to access the database?;
    2- What can I do myself to make that more difficult (other than descent usernames and passwords)?;
    3- Do you think that changing table prefixes makes any difference?

Viewing 5 replies - 1 through 5 (of 5 total)

  • ok, I saw your questions last night, and was going to answer them, but couldnt find the examples I needed, so i decided not to answer.

    But.. since you asked again, I can give you enough that you will understand without examples.

    last night, you asked a good, fair question.. basically along the lines of why one might change table names if the hacker doesn’t know the name of the database..

    the short answer is that they dont need to know the name of the databse, wordpress has already made the connection for them.

    MySQL and PHP talk so well to one another that you can construct MySQL queries within urls and manipulate a database (as long as the connection already exists).

    For instance:

    ?thing=-1/**/UNION/**/SELECT/**/concat(0x7c,user_login,0x7c,user_pass,0x7c)/**/FROM/**/wp_users
    just imagine that string appended to your url.

    that’s actually a variant of a very simple working exploit that is constantly tried on new plugins, and its worked more than once.

    Notice that they didnt have to query the db? they just had to know the table name.

    The root cause of these sorts of problems is unsanitized, or improperly sanitized code — instances where user input is expected, but not properly checked to see if it’s secure.

    Something like this, for example:

    $thing = $_GET['thing'];

    thats a PHP variable that saying, “ok, im looking for a $_GET, and when i receive it, Im going to define the variable $thing”.

    Nothing else, no checking, nada, just grab the $_GET and go. Plugins are notorious for these sorts of problems. And it stems largely, from people that dont understand PHP writing plugins. Everyone wants to get on the Ive written a wp plugin bandwagon, but they dont understand that theres more to it, than just making something work.

    My string, the long one up above… there’s the $_GET I want to send to a file that has that line in it, I just defined $thing — and I just queried your database — and I just snagged your password. You’re in hell.

    The answer to your three questions:

    1. I just showed you
    2. change table prefix
    3. yes

    Anything else?

    Thread Starter Roy

    (@gangleri)

    Thanks Whoo! Yesterday I was nagging Michael with my too rapid testing of his plugin. (I even learned a little more last night, I can’t just remove a few tables from the database without wrecking it ?? ). He apparently didn’t want to spend the time to answer my not-directly-plugin-related questions. That’s fine.

    If I understand you correctly, a hacker doesn’t even need a form or anything to give a pull a query out of the database. That is indeed a very big reason to change the prefixes, since in my assumption the query passed the wp_config and that is where the prefix is ‘told to WP’, but this file has nothing to do with the query in your example, right?

    So at least the only way to access the database is by means of the software that uses it and I don’t have to worry that somebody finds the server and attack from there? (Or at least, this is less likely.)

    Thank you for your lesson, I’m going to do some more testing of the Security Scan plugin and let it loose on the real site.

    No, you do not need a form, but under the right circumstances, you can use one.

    Let’s say a plugin is looking for a $_POST (thats what forms typically send)

    $otherthing = $_POST['otherthing'];

    I can create a file, within my own web space, and use it to send a properly crafted $_POST to your form, similar to the $_GET above, and get exactly the same result. Notice that once agaain, this:

    $otherthing = $_POST['otherthing'];

    is completely unsanitized.

    Thread Starter Roy

    (@gangleri)

    Last question (befor my lunch break ?? ). I saw a very simple sanitation script on some website. Does WP use something like that too, or is this another thing to look into?

    WP sanitizes its variables, VERY few slip in that are not checked. Again, I said plugins.

Viewing 5 replies - 1 through 5 (of 5 total)
  • The topic ‘Database security’ is closed to new replies.