MySQL remote exploit

Anon Anon lokotejones at gmail.com
Wed Sep 14 07:55:52 MST 2016 

Prepared Statements are the current state of the art. Slashes and html
entities are not really used in modern PHP any more.

http://www.w3schools.com/php/php_mysql_prepared_statements.asp

You should also use mod_security in Apache if that is your webserver.

https://www.howtoforge.com/apache_mod_security

You should also have an idea of what you plan to accept as input goes. A
phone number doesn't need letters or symbols. A name doesn't need symbols.
You should perform multiple layers or checking before passing on data from
a user. If you have an input for names but they are putting in a ! symbol,
you should kick out their input or verify that a Mr. Kickass!!
$$CatKisser$$ is using your form.

On Wed, Sep 14, 2016 at 7:11 AM, Keith Smith <techlists at phpcoderusa.com>
wrote:

>
> I think this is a great opportunity to talk about sanitizing one's data
> before sending it to the DB.
>
> There is two very easy things one can do if programming in PHP.
>
> 1) Addslashes - Returns a string with backslashes before characters that
> need to be escaped. These characters are single quote ('), double quote
> ("), backslash (\) and NUL (the NULL byte).
>
> 2) htmlentities — Convert all applicable characters to HTML entities -
> this will convert any semicolons not enclosed in quotes into it's html
> entity.
>
> http://php.net/manual/en/security.database.sql-injection.php
>
> Little Bobby Tables :  http://php.net/manual/en/image
> s/fa7c5b5f326e3c4a6cc9db19e7edbaf0-xkcd-bobby-tables.png
>
> I do not profess to be an expert in this area.  I spent a lot of time
> looking into this about 10 years ago and still feel like I need to know
> more.  I'm always eager to learn more in this area.
>
> Please add your thoughts?
>
> Thanks!!
> Keith
>
>
>
>
>
> On 2016-09-14 01:41, der.hans wrote:
>
>> Am 14. Sep, 2016 schwätzte Herminio Hernandez, Jr. so:
>>
>> Should I be consern even if my SQL server is only listening on localhost?
>>>
>>
>> Depends on what you have using it.
>>
>> If it's the DB for a web site, then it's possible that SQL injection can
>> be used to modify your database.
>>
>> For instance, WordPress has lots of security issues, so it likely can be
>> exploited to use SQL injection to talk to your DB.
>>
>> ciao,
>>
>> der.hans
>>
>> On Mon, Sep 12, 2016 at 1:29 PM, Joseph Sinclair <
>>> plug-discussion at stcaz.net>
>>> wrote:
>>>
>>> FYI, minor improvement below to lock down a few edge cases (note, this is
>>>> primarily for EXT{2,3,4} and other filesystems that support file
>>>> attributes).
>>>> You'll also need to remove the attribute manually before updating when
>>>> patches become available.
>>>>
>>>> On 09/12/2016 12:33 PM, der.hans wrote:
>>>>
>>>>> Am 12. Sep, 2016 schwätzte Herminio Hernandez Jr. so:
>>>>>
>>>>> moin moin,
>>>>>
>>>>> Basically they mirror the repos. So when it hits debian I will upgrade.
>>>>>>
>>>>>
>>>>> Ah, OK.
>>>>>
>>>>> You might also want to create a couple of empty files and lock them
>>>>> down.
>>>>>
>>>>> $datadir can be exploited, so pre-emptively putting empty conf files in
>>>>> there that can't be changed by mysql is a good idea.
>>>>>
>>>>> The following is for anyone with questions on locking down the config
>>>>> files in $datadir.
>>>>>
>>>>> Presuming $datadir is /var/lib/mysql either of the following will lock
>>>>> down the files when run as root, but the first will destroy files you
>>>>> might already have.
>>>>>
>>>>> # >/var/lib/mysq/my.cnf
>>>>> # >/var/lib/mysq/.my.cnf
>>>>> # chmod 000 /var/lib/mysq/{.,}my.cnf
>>>>>
>>>> # chattr +i /var/lib/mysq/{.,}my.cnf
>>>>
>>>>>
>>>>> Or, with some minimal verification that it's safe...
>>>>>
>>>>> # for file in /var/lib/mysq/{.,}my.cnf; do
>>>>>     if [ ! -e $file ] ; then
>>>>>        >$file
>>>>>         chmod 000 $file
>>>>>
>>>>           chattr +i $file
>>>>
>>>>>         ls -l $file
>>>>>
>>>>           lsattr $file
>>>>
>>>>>     else
>>>>>         ls -l $file
>>>>>
>>>>           lsattr $file
>>>>
>>>>>         echo "You might want to check on that"
>>>>>     fi
>>>>> done
>>>>>
>>>>> ciao,
>>>>>
>>>>> der.hans
>>>>>
>>>>> Sent from my iPhone
>>>>>>
>>>>>> On Sep 12, 2016, at 12:00 PM, der.hans <PLUGd at LuftHans.com> wrote:
>>>>>>>
>>>>>>> Am 12. Sep, 2016 schwätzte Herminio Hernandez Jr. so:
>>>>>>>
>>>>>>> moin moin,
>>>>>>>
>>>>>>> Thanks have some SQL in DO droplets. Will be looking for this.
>>>>>>>>
>>>>>>>
>>>>>>> Will DigitalOcean automagically apply the patches for you?
>>>>>>>
>>>>>>> I would expect it's in their best interest.
>>>>>>>
>>>>>>> I'm certain DreamHost is already upgraded. GoDaddy is probably
>>>>>>> rolling
>>>>>>>
>>>>>> it
>>>>
>>>>> out already, but I no longer know anyone on the team over there, so am
>>>>>>>
>>>>>> not
>>>>
>>>>> sure how quick they will be.
>>>>>>>
>>>>>>> This is admittedly one of the advantages of cloud. The infrastructure
>>>>>>> providers can centrally test and roll out for everyone. The
>>>>>>>
>>>>>> disadvantage
>>>>
>>>>> is if it's something that affects you, but they don't know or care
>>>>>>>
>>>>>> about
>>>>
>>>>> it :).
>>>>>>>
>>>>>>> ciao,
>>>>>>>
>>>>>>> der.hans
>>>>>>>
>>>>>>> Sent from my iPhone
>>>>>>>>
>>>>>>>> On Sep 12, 2016, at 11:18 AM, der.hans <PLUGd at LuftHans.com> wrote:
>>>>>>>>>
>>>>>>>>> moin moin,
>>>>>>>>>
>>>>>>>>> a MySQL remote exploit was announced this morning. Percona and
>>>>>>>>>
>>>>>>>> MariaDB
>>>>
>>>>> already have fixes that have not yet hit the distros.
>>>>>>>>>
>>>>>>>>> https://www.percona.com/blog/2016/09/12/percona-server-
>>>>>>>>>
>>>>>>>> critical-update-cve-2016-6662
>>>>
>>>>>
>>>>>>>>> http://legalhackers.com/advisories/MySQL-Exploit-
>>>>>>>>>
>>>>>>>> Remote-Root-Code-Execution-Privesc-CVE-2016-6662.html
>>>>
>>>>>
>>>>>>>>> Watch for updates.
>>>>>>>>>
>>>>>>>>> ciao,
>>>>>>>>>
>>>>>>>>> der.hans
>>>>>>>>> --
>>>>>>>>> #  http://www.LuftHans.com/        http://www.PhxLinux.org/
>>>>>>>>> #  Fairy Tale, n.: A horror story to prepare children for the
>>>>>>>>>
>>>>>>>> newspapers.
>>>>
>>>>> ---------------------------------------------------
>>>>>>>>> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
>>>>>>>>> To subscribe, unsubscribe, or to change your mail settings:
>>>>>>>>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>>>>>>>>
>>>>>>>> ---------------------------------------------------
>>>>>>>> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
>>>>>>>> To subscribe, unsubscribe, or to change your mail settings:
>>>>>>>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>> #  http://www.LuftHans.com/        http://www.PhxLinux.org/
>>>>>>> #  "You go to Afghanistan and you swallow enough dust that you'll
>>>>>>> pass
>>>>>>>
>>>>>> an
>>>>
>>>>> #  adobe brick." -- Robin Williams, 03Aug2006
>>>>>>> ---------------------------------------------------
>>>>>>> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
>>>>>>> To subscribe, unsubscribe, or to change your mail settings:
>>>>>>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>>>>>>
>>>>>> ---------------------------------------------------
>>>>>> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
>>>>>> To subscribe, unsubscribe, or to change your mail settings:
>>>>>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>> ---------------------------------------------------
>>>>> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
>>>>> To subscribe, unsubscribe, or to change your mail settings:
>>>>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>>>>
>>>>>
>>>>
>>>> ---------------------------------------------------
>>>> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
>>>> To subscribe, unsubscribe, or to change your mail settings:
>>>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>>>
>>>>
>>>
>> ---------------------------------------------------
>> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
>> To subscribe, unsubscribe, or to change your mail settings:
>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>
>
> --
> Keith Smith
>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.phxlinux.org/pipermail/plug-discuss/attachments/20160914/96c6d525/attachment.html>

More information about the PLUG-discuss mailing list