Database Security Configuration Vulnerabilities

High Risk Configuration
databaseconfigurationsecurityaccess-controlprivilegesauthenticationnetwork-securitymysqlpostgresqlmonitoring

What it is

Critical security vulnerabilities that arise from improper database configuration settings. These misconfigurations can amplify the impact of other vulnerabilities like SQL injection, expose databases to unauthorized access, and create opportunities for data theft or system compromise through overprivileged users, weak authentication, and inadequate access controls.

-- VULNERABLE: Overprivileged database user
CREATE USER 'app_user'@'%' IDENTIFIED BY 'simple_password';
GRANT ALL PRIVILEGES ON *.* TO 'app_user'@'%';

-- Allowing connections from anywhere
BIND_ADDRESS = 0.0.0.0

-- No connection limits
-- No query time limits
-- SECURE: Least privilege principle
CREATE USER 'app_user'@'localhost' IDENTIFIED BY 'C0mpl3x_P@ssw0rd_2024!';

-- Grant only necessary permissions
GRANT SELECT, INSERT, UPDATE ON myapp.users TO 'app_user'@'localhost';
GRANT SELECT, INSERT, UPDATE ON myapp.posts TO 'app_user'@'localhost';

-- Limit connections
CREATE USER 'app_user'@'localhost'
  IDENTIFIED BY 'C0mpl3x_P@ssw0rd_2024!'
  WITH MAX_CONNECTIONS_PER_HOUR 1000
       MAX_QUERIES_PER_HOUR 10000;

-- Secure binding
BIND_ADDRESS = 127.0.0.1

-- Enable query logging for monitoring
GENERAL_LOG = ON
SLOW_QUERY_LOG = ON

💡 Why This Fix Works

Database configuration plays a crucial role in preventing SQL injection impact. Use least privilege access, strong passwords, and proper network restrictions.

Why it happens

Creating database users with excessive privileges violates the principle of least privilege. When application users have ALL PRIVILEGES or administrative access, SQL injection attacks can cause much more damage including dropping databases, accessing other applications' data, or executing system commands.

Root causes

Overprivileged Database Users

Creating database users with excessive privileges violates the principle of least privilege. When application users have ALL PRIVILEGES or administrative access, SQL injection attacks can cause much more damage including dropping databases, accessing other applications' data, or executing system commands.

Preview example – SQL 
-- VULNERABLE: Overprivileged database user
CREATE USER 'app_user'@'%' IDENTIFIED BY 'simple_password';
GRANT ALL PRIVILEGES ON *.* TO 'app_user'@'%';
-- This user can access ALL databases and perform ANY operation
-- SQL injection can now DROP databases, read other apps' data, etc.

Weak Authentication Configuration

Using weak passwords, allowing connections from anywhere (%), or disabling authentication mechanisms creates easy attack vectors. These configurations make databases vulnerable to brute force attacks and unauthorized access.

Preview example – SQL 
-- VULNERABLE: Weak authentication
CREATE USER 'admin'@'%' IDENTIFIED BY 'password123';
CREATE USER 'app'@'%' IDENTIFIED BY '';
-- Allow passwordless connections
skip-grant-tables  -- Disables authentication entirely
-- Bind to all interfaces
bind-address = 0.0.0.0

Unrestricted Network Access

Allowing database connections from any host (%) or binding to all network interfaces exposes databases to attacks from the internet. This greatly increases the attack surface and makes internal databases accessible to external attackers.

Preview example – SQL 
-- VULNERABLE: Network configuration
-- Allow connections from anywhere
CREATE USER 'app'@'%' IDENTIFIED BY 'password';
-- Bind to all interfaces (accessible from internet)
bind-address = 0.0.0.0
port = 3306  -- Default port exposed
-- No firewall restrictions

Disabled Security Features

Disabling important security features like SSL/TLS encryption, query logging, or connection limits removes important safeguards and monitoring capabilities. This makes it harder to detect attacks and leaves data vulnerable in transit.

Preview example – SQL 
-- VULNERABLE: Disabled security features
-- Disable SSL/TLS encryption
ssl = 0
-- No connection limits
-- No query logging
general_log = OFF
slow_query_log = OFF
-- No query time limits
max_execution_time = 0

Fixes

1

Implement Least Privilege Access Control

Create dedicated database users with only the minimum privileges required for their specific function. Grant permissions only on specific tables and operations that the application actually needs.

View implementation – SQL 
-- SECURE: Least privilege database users
-- Create dedicated users for different functions
CREATE USER 'app_read'@'localhost' IDENTIFIED BY 'C0mpl3x_R3ad_P@ssw0rd_2024!';
CREATE USER 'app_write'@'localhost' IDENTIFIED BY 'C0mpl3x_Wr1t3_P@ssw0rd_2024!';
CREATE USER 'app_admin'@'localhost' IDENTIFIED BY 'C0mpl3x_@dm1n_P@ssw0rd_2024!';

-- Grant minimal required permissions
GRANT SELECT ON myapp.users TO 'app_read'@'localhost';
GRANT SELECT ON myapp.posts TO 'app_read'@'localhost';

GRANT SELECT, INSERT, UPDATE ON myapp.users TO 'app_write'@'localhost';
GRANT SELECT, INSERT, UPDATE ON myapp.posts TO 'app_write'@'localhost';

-- Admin user only for schema changes
GRANT CREATE, ALTER, DROP ON myapp.* TO 'app_admin'@'localhost';

-- No global privileges granted
FLUSH PRIVILEGES;
2

Implement Strong Authentication Mechanisms

Use strong passwords, restrict connection hosts, enable SSL/TLS, and consider additional authentication methods like certificate-based authentication for enhanced security.

View implementation – SQL 
-- SECURE: Strong authentication configuration
-- Strong password policy
CREATE USER 'app_user'@'10.0.1.%' IDENTIFIED BY 'V3ry_C0mpl3x_P@ssw0rd_2024_With_Sp3c1al_Ch@rs!';

-- Require SSL connections
CREATE USER 'secure_app'@'10.0.1.%' 
  IDENTIFIED BY 'Str0ng_P@ssw0rd_2024!' 
  REQUIRE SSL;

-- Certificate-based authentication
CREATE USER 'cert_user'@'10.0.1.%' 
  IDENTIFIED BY 'C3rt_P@ssw0rd_2024!' 
  REQUIRE X509;

-- Connection and resource limits
CREATE USER 'limited_user'@'10.0.1.%' 
  IDENTIFIED BY 'L1m1t3d_P@ssw0rd_2024!' 
  WITH MAX_CONNECTIONS_PER_HOUR 100
       MAX_QUERIES_PER_HOUR 1000
       MAX_UPDATES_PER_HOUR 500;

-- Enable password validation
INSTALL PLUGIN validate_password SONAME 'validate_password.so';
SET GLOBAL validate_password.policy = STRONG;
3

Secure Network Configuration

Restrict database access to specific hosts and networks, use non-default ports, enable firewalls, and ensure databases are not directly accessible from the internet.

View implementation – SQL 
-- SECURE: Network configuration
-- Bind only to specific interfaces
bind-address = 127.0.0.1  -- Local only
-- OR bind-address = 10.0.1.100  -- Specific internal IP

-- Use non-default port
port = 33061  -- Non-standard port

-- Create users restricted to specific networks
CREATE USER 'app_user'@'10.0.1.%' IDENTIFIED BY 'Secure_P@ssw0rd_2024!';
CREATE USER 'admin_user'@'10.0.2.50' IDENTIFIED BY '@dm1n_P@ssw0rd_2024!';

-- No wildcard hosts
-- DROP USER 'app'@'%';  -- Remove overly permissive users

-- Enable SSL/TLS
ssl-ca = /etc/mysql/ssl/ca-cert.pem
ssl-cert = /etc/mysql/ssl/server-cert.pem
ssl-key = /etc/mysql/ssl/server-key.pem
require_secure_transport = ON

-- Firewall rules (external configuration)
-- iptables -A INPUT -p tcp --dport 33061 -s 10.0.1.0/24 -j ACCEPT
-- iptables -A INPUT -p tcp --dport 33061 -j DROP
4

Enable Security Monitoring and Logging

Configure comprehensive logging to detect suspicious activities, enable query auditing, and set up monitoring for security events and performance anomalies.

View implementation – SQL 
-- SECURE: Security monitoring and logging
-- Enable general query logging
SET GLOBAL general_log = 'ON';
SET GLOBAL general_log_file = '/var/log/mysql/mysql-queries.log';

-- Enable slow query logging
SET GLOBAL slow_query_log = 'ON';
SET GLOBAL slow_query_log_file = '/var/log/mysql/mysql-slow.log';
SET GLOBAL long_query_time = 2;  -- Log queries > 2 seconds

-- Enable binary logging for replication and point-in-time recovery
log-bin = /var/log/mysql/mysql-bin
server-id = 1

-- Enable error logging
log-error = /var/log/mysql/mysql-error.log
log-warnings = 2

-- Connection monitoring
max_connections = 100  -- Limit concurrent connections
max_connect_errors = 10  -- Block hosts with too many errors
connect_timeout = 10  -- Connection timeout

-- Query security settings
max_execution_time = 30000  -- 30 second query timeout
max_statement_time = 30000  -- Alternative for MariaDB

-- Install audit plugin for detailed monitoring
INSTALL PLUGIN server_audit SONAME 'server_audit.so';
SET GLOBAL server_audit_logging = ON;
SET GLOBAL server_audit_events = 'CONNECT,QUERY,TABLE';
5

Implement Database Hardening Measures

Apply additional security hardening measures including disabling unnecessary features, securing file permissions, and implementing backup security.

View implementation – SQL 
-- SECURE: Database hardening configuration
-- Disable unnecessary features
SET GLOBAL local_infile = OFF;  -- Prevent LOAD DATA LOCAL attacks
SET GLOBAL secure_file_priv = '/var/lib/mysql-files/';  -- Restrict file operations

-- Remove test databases and users
DROP DATABASE IF EXISTS test;
DELETE FROM mysql.user WHERE User = '';
DELETE FROM mysql.user WHERE User = 'root' AND Host NOT IN ('localhost', '127.0.0.1', '::1');

-- Secure root account
ALTER USER 'root'@'localhost' IDENTIFIED BY 'V3ry_Str0ng_R00t_P@ssw0rd_2024!';

-- Remove unused plugins
UNINSTALL PLUGIN federated;

-- File system security (external configuration)
-- chmod 750 /var/lib/mysql
-- chown mysql:mysql /var/lib/mysql
-- chmod 644 /etc/mysql/my.cnf

-- Backup security
-- Use encrypted backups
-- mysqldump --single-transaction --routines --triggers --all-databases \
--   | gpg --cipher-algo AES256 --compress-algo 1 --symmetric \
--   > backup_$(date +%Y%m%d_%H%M%S).sql.gpg

-- Network security
SET GLOBAL skip_name_resolve = ON;  -- Use IP addresses only
SET GLOBAL sql_mode = 'STRICT_TRANS_TABLES,NO_ZERO_DATE,NO_ZERO_IN_DATE,ERROR_FOR_DIVISION_BY_ZERO';

FLUSH PRIVILEGES;

Detect This Vulnerability in Your Code

Sourcery automatically identifies database security configuration vulnerabilities and many other security issues in your codebase.

Scan Your Code for Free Explore More Vulnerabilities