MySQL remote exploit

Keith Smith techlists at phpcoderusa.com
Wed Sep 14 07:11:51 MST 2016 

I think this is a great opportunity to talk about sanitizing one's data 
before sending it to the DB.

There is two very easy things one can do if programming in PHP.

1) Addslashes - Returns a string with backslashes before characters that 
need to be escaped. These characters are single quote ('), double quote 
("), backslash (\) and NUL (the NULL byte).

2) htmlentities — Convert all applicable characters to HTML entities - 
this will convert any semicolons not enclosed in quotes into it's html 
entity.

http://php.net/manual/en/security.database.sql-injection.php

Little Bobby Tables :  
http://php.net/manual/en/images/fa7c5b5f326e3c4a6cc9db19e7edbaf0-xkcd-bobby-tables.png

I do not profess to be an expert in this area.  I spent a lot of time 
looking into this about 10 years ago and still feel like I need to know 
more.  I'm always eager to learn more in this area.

Please add your thoughts?

Thanks!!
Keith




On 2016-09-14 01:41, der.hans wrote:
> Am 14. Sep, 2016 schwätzte Herminio Hernandez, Jr. so:
> 
>> Should I be consern even if my SQL server is only listening on 
>> localhost?
> 
> Depends on what you have using it.
> 
> If it's the DB for a web site, then it's possible that SQL injection 
> can
> be used to modify your database.
> 
> For instance, WordPress has lots of security issues, so it likely can 
> be
> exploited to use SQL injection to talk to your DB.
> 
> ciao,
> 
> der.hans
> 
>> On Mon, Sep 12, 2016 at 1:29 PM, Joseph Sinclair 
>> <plug-discussion at stcaz.net>
>> wrote:
>> 
>>> FYI, minor improvement below to lock down a few edge cases (note, 
>>> this is
>>> primarily for EXT{2,3,4} and other filesystems that support file
>>> attributes).
>>> You'll also need to remove the attribute manually before updating 
>>> when
>>> patches become available.
>>> 
>>> On 09/12/2016 12:33 PM, der.hans wrote:
>>>> Am 12. Sep, 2016 schwätzte Herminio Hernandez Jr. so:
>>>> 
>>>> moin moin,
>>>> 
>>>>> Basically they mirror the repos. So when it hits debian I will 
>>>>> upgrade.
>>>> 
>>>> Ah, OK.
>>>> 
>>>> You might also want to create a couple of empty files and lock them 
>>>> down.
>>>> 
>>>> $datadir can be exploited, so pre-emptively putting empty conf files 
>>>> in
>>>> there that can't be changed by mysql is a good idea.
>>>> 
>>>> The following is for anyone with questions on locking down the 
>>>> config
>>>> files in $datadir.
>>>> 
>>>> Presuming $datadir is /var/lib/mysql either of the following will 
>>>> lock
>>>> down the files when run as root, but the first will destroy files 
>>>> you
>>>> might already have.
>>>> 
>>>> # >/var/lib/mysq/my.cnf
>>>> # >/var/lib/mysq/.my.cnf
>>>> # chmod 000 /var/lib/mysq/{.,}my.cnf
>>> # chattr +i /var/lib/mysq/{.,}my.cnf
>>>> 
>>>> Or, with some minimal verification that it's safe...
>>>> 
>>>> # for file in /var/lib/mysq/{.,}my.cnf; do
>>>>     if [ ! -e $file ] ; then
>>>>        >$file
>>>>         chmod 000 $file
>>>           chattr +i $file
>>>>         ls -l $file
>>>           lsattr $file
>>>>     else
>>>>         ls -l $file
>>>           lsattr $file
>>>>         echo "You might want to check on that"
>>>>     fi
>>>> done
>>>> 
>>>> ciao,
>>>> 
>>>> der.hans
>>>> 
>>>>> Sent from my iPhone
>>>>> 
>>>>>> On Sep 12, 2016, at 12:00 PM, der.hans <PLUGd at LuftHans.com> wrote:
>>>>>> 
>>>>>> Am 12. Sep, 2016 schwätzte Herminio Hernandez Jr. so:
>>>>>> 
>>>>>> moin moin,
>>>>>> 
>>>>>>> Thanks have some SQL in DO droplets. Will be looking for this.
>>>>>> 
>>>>>> Will DigitalOcean automagically apply the patches for you?
>>>>>> 
>>>>>> I would expect it's in their best interest.
>>>>>> 
>>>>>> I'm certain DreamHost is already upgraded. GoDaddy is probably 
>>>>>> rolling
>>> it
>>>>>> out already, but I no longer know anyone on the team over there, 
>>>>>> so am
>>> not
>>>>>> sure how quick they will be.
>>>>>> 
>>>>>> This is admittedly one of the advantages of cloud. The 
>>>>>> infrastructure
>>>>>> providers can centrally test and roll out for everyone. The
>>> disadvantage
>>>>>> is if it's something that affects you, but they don't know or care
>>> about
>>>>>> it :).
>>>>>> 
>>>>>> ciao,
>>>>>> 
>>>>>> der.hans
>>>>>> 
>>>>>>> Sent from my iPhone
>>>>>>> 
>>>>>>>> On Sep 12, 2016, at 11:18 AM, der.hans <PLUGd at LuftHans.com> 
>>>>>>>> wrote:
>>>>>>>> 
>>>>>>>> moin moin,
>>>>>>>> 
>>>>>>>> a MySQL remote exploit was announced this morning. Percona and
>>> MariaDB
>>>>>>>> already have fixes that have not yet hit the distros.
>>>>>>>> 
>>>>>>>> https://www.percona.com/blog/2016/09/12/percona-server-
>>> critical-update-cve-2016-6662
>>>>>>>> 
>>>>>>>> http://legalhackers.com/advisories/MySQL-Exploit-
>>> Remote-Root-Code-Execution-Privesc-CVE-2016-6662.html
>>>>>>>> 
>>>>>>>> Watch for updates.
>>>>>>>> 
>>>>>>>> ciao,
>>>>>>>> 
>>>>>>>> der.hans
>>>>>>>> --
>>>>>>>> #  http://www.LuftHans.com/        http://www.PhxLinux.org/
>>>>>>>> #  Fairy Tale, n.: A horror story to prepare children for the
>>> newspapers.
>>>>>>>> ---------------------------------------------------
>>>>>>>> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
>>>>>>>> To subscribe, unsubscribe, or to change your mail settings:
>>>>>>>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>>>>>> ---------------------------------------------------
>>>>>>> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
>>>>>>> To subscribe, unsubscribe, or to change your mail settings:
>>>>>>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>>>>> 
>>>>>> --
>>>>>> #  http://www.LuftHans.com/        http://www.PhxLinux.org/
>>>>>> #  "You go to Afghanistan and you swallow enough dust that you'll 
>>>>>> pass
>>> an
>>>>>> #  adobe brick." -- Robin Williams, 03Aug2006
>>>>>> ---------------------------------------------------
>>>>>> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
>>>>>> To subscribe, unsubscribe, or to change your mail settings:
>>>>>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>>>> ---------------------------------------------------
>>>>> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
>>>>> To subscribe, unsubscribe, or to change your mail settings:
>>>>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>>> 
>>>> 
>>>> 
>>>> ---------------------------------------------------
>>>> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
>>>> To subscribe, unsubscribe, or to change your mail settings:
>>>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>>> 
>>> 
>>> 
>>> ---------------------------------------------------
>>> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
>>> To subscribe, unsubscribe, or to change your mail settings:
>>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>> 
>> 
> 
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.phxlinux.org/mailman/listinfo/plug-discuss

-- 
Keith Smith

More information about the PLUG-discuss mailing list