5

MySQL users have a username and a Host associated with them, so usually you'd identify the user by 'user'@'host'. The host part is there to assure only clients which connect from that specific host are allowed, even if they happen to have the correct username and password. It also allows two users with the same username, but from different hosts, to exist on the same MySQL server.

But wouldn't it be possible to spoof the host name of the client, so that I claim to be coming from the host of my victim? Do the 'host' part of a user really provide any extra security?

Lars Nyström
  • 153
  • 3

1 Answers1

4

The client does not "present" anything related to host.

The server sees an incoming connection from a given IP and this is resolved by your mysql server and then compared to host, so it is not obvious to spoof. Your DNS resolution would need to have been modified first (or upstream DNS servers would need to have been hacked).

So yes, there is extra security provided by host.

WoJ
  • 9,038
  • 3
  • 34
  • 55
  • 1
    This answer is essentially correct but omits the fact that MySQL uses forward-confirmed reverse DNS, so the ip-to-hostname lookup is followed by a hostname-to-ip lookup to ensure the original value can be found, so both reverse and forward DNS must be compromised to thwart this mechanism. https://dev.mysql.com/doc/refman/5.6/en/host-cache.html – Michael - sqlbot Nov 09 '15 at 10:54
  • @Michael-sqlbot: yes, correct. Since these two DNSes are usually different (and often handled by different entities (PTR by the ARIN-authorized one and direct by the organization) it gets even more difficult. – WoJ Nov 09 '15 at 13:29