我试图解决CWE-798描述的问题,特别是如何允许我的应用程序安全地对数据库进行身份验证。我想在mysqld中设置一个mysql密码,并将该信息推送到PHP应用服务器。这需要在PHP实例尝试连接到mysqld之前将新密码从mysqld传递给PHP。
(我确实阅读了mitre.org上建议的方法,并对特权访问管理有一些了解 - 但是这些建议中没有一个能够解决问题。)
除非在mysqld中启动,例如使用它的事件调度程序,然后我需要在MySQL之外维护一些需要凭据连接的脚本 - 从而打败目标。
我的问题是我不知道如何让MySQL启动客户端连接到应用程序以注入新密码;它似乎没有提供调用URL或执行程序的标准函数。
implement a UDF是我唯一的选择吗?
答案 0 :(得分:0)
The vulnerability you're describing seems to primarily relate to applications that are in the hands of users that can freely inspect what they've been given, such as might be the case in a desktop application or a mobile app. If you have credentials in there you must take great pains to encrypt them, and then prevent that encryption from being cracked by protecting your key, but seeing as how all of this has to happen on the user's hardware you're fighting a battle you may never win.
This is how the DVD encryption was cracked, the private key for decrypting DVD data was stored in a desktop application and eventually uncovered.
Server-side code has different concerns. Here you want to avoid hard-coding credentials into your application not because you're concerned about hostile users per-se, though that can be an issue, but because you do not ever want your credentials to end up in a version control system.
One way to ensure this never happens is to have the credentials stored in a file external to your application, like a config file that the application can reference. Most frameworks have some kind of configuration file (.yml, .ini, .xml) that define how they connect to the database. This file should be stored on the server and only on the server, not on developer workstations, not in your version control, and especially not somewhere shared.
You can go down the road of using something like Zookeeper to manage your configuration files but the investment of time required makes this a futile exercise unless you're managing hundreds of servers.
So the short answer here is: Don't put your credentials in your code, or store it with your code. Put it in a config file that's kept on the server and the server alone.