Insecurities with es_admin, mysql

Hey everyone!

I have notices something whilst setting up a server with an ESX stack on it. after adding the mysql plugin as well as adding the required mysql_connection_string to the config file, I noticed something rather alarming…

Anyone with the role admin or super admin can use the following command in game and it prints that raw string to console: /mysql_connection_string. First I think it is absolute insanity for this to be a thing, regardless of group level. I also looked through the code for a bit and could not find what exactly does this (adds that command. I am assuming anything that is set become an admin command that dumps the value?

Anyways, we need to be able to use more than just one staff group (mod is the only one I am comfortable granting with this exploit in place). I have a few possible solutions to the problem, but I am wondering if someone with more FiveM experience can help me out with the best one.

So far I am thinking I can do one of the following:

  1. Simply hardcode that string in the file that calls it, remove from cfg (thus removing that one command)
  2. Look for an alternative admin mod if it is powerful, secure, and doesnt have this issue
  3. Write several custom groups and grant them access to the commands as I please
  4. Remove the ability to read the connection string somehow… not sure how to as source is unknown

Now my db user is locked down to localhost as any user used on a local machine should be, so it wont do much good getting the password, but still not something I want out in the public.

My questions to you more knowledgeable folk are
A) have you seen/heard of this before? Am I doing something inherently wrong?
B) Do you know a simple solution for this? Preferably removing the command?
C) Do you have an alternative secure/powerful admin tool that works with ESX?

Thanks for your help everyone!

PS My intention is not to public expose an unknown insecurity: either A) my setup is wrong and this is unique to me or B) this is how it has always been, and with autofill when typing commands this has to be a known thing by the devs of the mod.

1 Like

Then deny the permissions. It’s up to the server owner to define how much an “admin” can do.

add_ace group.admin command.mysql_connection_string deny

Revokes the permissions for running /mysql_connection_string.

As a server owner you need to set the boundaries, this is not a security flaw. And this is why it’s generally advised to know what the fuck you’re doing.

Also, you should have plenty of flexibility to workaround the “set” syntax, as you stated yourself.