MySQL remote exploit
Mark Phillips
mark at phillipsmarketing.biz
Wed Sep 14 08:24:20 MST 2016
It looks like this is fixed in Debian version 5.5.52-0+deb8u1, if I am
reading this page correctly.
https://security-tracker.debian.org/tracker/CVE-2016-6662
Mark
On Wed, Sep 14, 2016 at 7:55 AM, Anon Anon <lokotejones at gmail.com> wrote:
> Prepared Statements are the current state of the art. Slashes and html
> entities are not really used in modern PHP any more.
>
> http://www.w3schools.com/php/php_mysql_prepared_statements.asp
>
> You should also use mod_security in Apache if that is your webserver.
>
> https://www.howtoforge.com/apache_mod_security
>
> You should also have an idea of what you plan to accept as input goes. A
> phone number doesn't need letters or symbols. A name doesn't need symbols.
> You should perform multiple layers or checking before passing on data from
> a user. If you have an input for names but they are putting in a ! symbol,
> you should kick out their input or verify that a Mr. Kickass!!
> $$CatKisser$$ is using your form.
>
> On Wed, Sep 14, 2016 at 7:11 AM, Keith Smith <techlists at phpcoderusa.com>
> wrote:
>
>>
>> I think this is a great opportunity to talk about sanitizing one's data
>> before sending it to the DB.
>>
>> There is two very easy things one can do if programming in PHP.
>>
>> 1) Addslashes - Returns a string with backslashes before characters that
>> need to be escaped. These characters are single quote ('), double quote
>> ("), backslash (\) and NUL (the NULL byte).
>>
>> 2) htmlentities — Convert all applicable characters to HTML entities -
>> this will convert any semicolons not enclosed in quotes into it's html
>> entity.
>>
>> http://php.net/manual/en/security.database.sql-injection.php
>>
>> Little Bobby Tables : http://php.net/manual/en/image
>> s/fa7c5b5f326e3c4a6cc9db19e7edbaf0-xkcd-bobby-tables.png
>>
>> I do not profess to be an expert in this area. I spent a lot of time
>> looking into this about 10 years ago and still feel like I need to know
>> more. I'm always eager to learn more in this area.
>>
>> Please add your thoughts?
>>
>> Thanks!!
>> Keith
>>
>>
>>
>>
>>
>> On 2016-09-14 01:41, der.hans wrote:
>>
>>> Am 14. Sep, 2016 schwätzte Herminio Hernandez, Jr. so:
>>>
>>> Should I be consern even if my SQL server is only listening on localhost?
>>>>
>>>
>>> Depends on what you have using it.
>>>
>>> If it's the DB for a web site, then it's possible that SQL injection can
>>> be used to modify your database.
>>>
>>> For instance, WordPress has lots of security issues, so it likely can be
>>> exploited to use SQL injection to talk to your DB.
>>>
>>> ciao,
>>>
>>> der.hans
>>>
>>> On Mon, Sep 12, 2016 at 1:29 PM, Joseph Sinclair <
>>>> plug-discussion at stcaz.net>
>>>> wrote:
>>>>
>>>> FYI, minor improvement below to lock down a few edge cases (note, this
>>>>> is
>>>>> primarily for EXT{2,3,4} and other filesystems that support file
>>>>> attributes).
>>>>> You'll also need to remove the attribute manually before updating when
>>>>> patches become available.
>>>>>
>>>>> On 09/12/2016 12:33 PM, der.hans wrote:
>>>>>
>>>>>> Am 12. Sep, 2016 schwätzte Herminio Hernandez Jr. so:
>>>>>>
>>>>>> moin moin,
>>>>>>
>>>>>> Basically they mirror the repos. So when it hits debian I will
>>>>>>> upgrade.
>>>>>>>
>>>>>>
>>>>>> Ah, OK.
>>>>>>
>>>>>> You might also want to create a couple of empty files and lock them
>>>>>> down.
>>>>>>
>>>>>> $datadir can be exploited, so pre-emptively putting empty conf files
>>>>>> in
>>>>>> there that can't be changed by mysql is a good idea.
>>>>>>
>>>>>> The following is for anyone with questions on locking down the config
>>>>>> files in $datadir.
>>>>>>
>>>>>> Presuming $datadir is /var/lib/mysql either of the following will lock
>>>>>> down the files when run as root, but the first will destroy files you
>>>>>> might already have.
>>>>>>
>>>>>> # >/var/lib/mysq/my.cnf
>>>>>> # >/var/lib/mysq/.my.cnf
>>>>>> # chmod 000 /var/lib/mysq/{.,}my.cnf
>>>>>>
>>>>> # chattr +i /var/lib/mysq/{.,}my.cnf
>>>>>
>>>>>>
>>>>>> Or, with some minimal verification that it's safe...
>>>>>>
>>>>>> # for file in /var/lib/mysq/{.,}my.cnf; do
>>>>>> if [ ! -e $file ] ; then
>>>>>> >$file
>>>>>> chmod 000 $file
>>>>>>
>>>>> chattr +i $file
>>>>>
>>>>>> ls -l $file
>>>>>>
>>>>> lsattr $file
>>>>>
>>>>>> else
>>>>>> ls -l $file
>>>>>>
>>>>> lsattr $file
>>>>>
>>>>>> echo "You might want to check on that"
>>>>>> fi
>>>>>> done
>>>>>>
>>>>>> ciao,
>>>>>>
>>>>>> der.hans
>>>>>>
>>>>>> Sent from my iPhone
>>>>>>>
>>>>>>> On Sep 12, 2016, at 12:00 PM, der.hans <PLUGd at LuftHans.com> wrote:
>>>>>>>>
>>>>>>>> Am 12. Sep, 2016 schwätzte Herminio Hernandez Jr. so:
>>>>>>>>
>>>>>>>> moin moin,
>>>>>>>>
>>>>>>>> Thanks have some SQL in DO droplets. Will be looking for this.
>>>>>>>>>
>>>>>>>>
>>>>>>>> Will DigitalOcean automagically apply the patches for you?
>>>>>>>>
>>>>>>>> I would expect it's in their best interest.
>>>>>>>>
>>>>>>>> I'm certain DreamHost is already upgraded. GoDaddy is probably
>>>>>>>> rolling
>>>>>>>>
>>>>>>> it
>>>>>
>>>>>> out already, but I no longer know anyone on the team over there, so am
>>>>>>>>
>>>>>>> not
>>>>>
>>>>>> sure how quick they will be.
>>>>>>>>
>>>>>>>> This is admittedly one of the advantages of cloud. The
>>>>>>>> infrastructure
>>>>>>>> providers can centrally test and roll out for everyone. The
>>>>>>>>
>>>>>>> disadvantage
>>>>>
>>>>>> is if it's something that affects you, but they don't know or care
>>>>>>>>
>>>>>>> about
>>>>>
>>>>>> it :).
>>>>>>>>
>>>>>>>> ciao,
>>>>>>>>
>>>>>>>> der.hans
>>>>>>>>
>>>>>>>> Sent from my iPhone
>>>>>>>>>
>>>>>>>>> On Sep 12, 2016, at 11:18 AM, der.hans <PLUGd at LuftHans.com> wrote:
>>>>>>>>>>
>>>>>>>>>> moin moin,
>>>>>>>>>>
>>>>>>>>>> a MySQL remote exploit was announced this morning. Percona and
>>>>>>>>>>
>>>>>>>>> MariaDB
>>>>>
>>>>>> already have fixes that have not yet hit the distros.
>>>>>>>>>>
>>>>>>>>>> https://www.percona.com/blog/2016/09/12/percona-server-
>>>>>>>>>>
>>>>>>>>> critical-update-cve-2016-6662
>>>>>
>>>>>>
>>>>>>>>>> http://legalhackers.com/advisories/MySQL-Exploit-
>>>>>>>>>>
>>>>>>>>> Remote-Root-Code-Execution-Privesc-CVE-2016-6662.html
>>>>>
>>>>>>
>>>>>>>>>> Watch for updates.
>>>>>>>>>>
>>>>>>>>>> ciao,
>>>>>>>>>>
>>>>>>>>>> der.hans
>>>>>>>>>> --
>>>>>>>>>> # http://www.LuftHans.com/ http://www.PhxLinux.org/
>>>>>>>>>> # Fairy Tale, n.: A horror story to prepare children for the
>>>>>>>>>>
>>>>>>>>> newspapers.
>>>>>
>>>>>> ---------------------------------------------------
>>>>>>>>>> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
>>>>>>>>>> To subscribe, unsubscribe, or to change your mail settings:
>>>>>>>>>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>>>>>>>>>
>>>>>>>>> ---------------------------------------------------
>>>>>>>>> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
>>>>>>>>> To subscribe, unsubscribe, or to change your mail settings:
>>>>>>>>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>> # http://www.LuftHans.com/ http://www.PhxLinux.org/
>>>>>>>> # "You go to Afghanistan and you swallow enough dust that you'll
>>>>>>>> pass
>>>>>>>>
>>>>>>> an
>>>>>
>>>>>> # adobe brick." -- Robin Williams, 03Aug2006
>>>>>>>> ---------------------------------------------------
>>>>>>>> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
>>>>>>>> To subscribe, unsubscribe, or to change your mail settings:
>>>>>>>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>>>>>>>
>>>>>>> ---------------------------------------------------
>>>>>>> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
>>>>>>> To subscribe, unsubscribe, or to change your mail settings:
>>>>>>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> ---------------------------------------------------
>>>>>> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
>>>>>> To subscribe, unsubscribe, or to change your mail settings:
>>>>>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>>>>>
>>>>>>
>>>>>
>>>>> ---------------------------------------------------
>>>>> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
>>>>> To subscribe, unsubscribe, or to change your mail settings:
>>>>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>>>>
>>>>>
>>>>
>>> ---------------------------------------------------
>>> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
>>> To subscribe, unsubscribe, or to change your mail settings:
>>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>>
>>
>> --
>> Keith Smith
>>
>> ---------------------------------------------------
>> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
>> To subscribe, unsubscribe, or to change your mail settings:
>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>
>
>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.phxlinux.org/pipermail/plug-discuss/attachments/20160914/b8250c2e/attachment.html>
More information about the PLUG-discuss
mailing list