Excerpts from Olaf van der Spek's message of Fri Oct 14 03:14:23 -0700 2011:
> Hi,
>
> Drizzle still appears to support "select into outfile". At least
> there's code for it. Is still still supported?
> Shouldn't this be done client-side? IMO this server-side code should be
> removed.
>
> See for example drizzled\file_exchange.h
>
I would support removal of this from a security standpoint. This is used
to escalate privileges via sql injection + insecure temp file creation.
consider (please ignore syntax errors, its been a while since I wrote SQL):
create table commands (command LONGTEXT);
insert into commands values('#!/bin/sh
echo "rooted:x:0:0::/root:/bin/bash >> /etc/passwd
rooted:$1$....:... >> /etc/shadow
sed -i -e 's/PermitRootLogin +.*/PermitRootLogin yes/' /etc/ssh/sshd_config
killall -HUP sshd');
select into outfile '/tmp/predictable.temp.root.script.sh' command from
commands;
Much better to just leave this out of drizzled and require a local
command to be run to get data out locally, IMO.
_______________________________________________
Mailing list: https://launchpad.net/~drizzle-discuss
Post to : [email protected]
Unsubscribe : https://launchpad.net/~drizzle-discuss
More help : https://help.launchpad.net/ListHelp
