It looks like this is fixed in Debian version 5.5.52-0+deb8u1, if I am reading this page correctly. https://security-tracker.debian.org/tracker/CVE-2016-6662 Mark On Wed, Sep 14, 2016 at 7:55 AM, Anon Anon wrote: > Prepared Statements are the current state of the art. Slashes and html > entities are not really used in modern PHP any more. > > http://www.w3schools.com/php/php_mysql_prepared_statements.asp > > You should also use mod_security in Apache if that is your webserver. > > https://www.howtoforge.com/apache_mod_security > > You should also have an idea of what you plan to accept as input goes. A > phone number doesn't need letters or symbols. A name doesn't need symbols. > You should perform multiple layers or checking before passing on data from > a user. If you have an input for names but they are putting in a ! symbol, > you should kick out their input or verify that a Mr. Kickass!! > $$CatKisser$$ is using your form. > > On Wed, Sep 14, 2016 at 7:11 AM, Keith Smith > wrote: > >> >> I think this is a great opportunity to talk about sanitizing one's data >> before sending it to the DB. >> >> There is two very easy things one can do if programming in PHP. >> >> 1) Addslashes - Returns a string with backslashes before characters that >> need to be escaped. These characters are single quote ('), double quote >> ("), backslash (\) and NUL (the NULL byte). >> >> 2) htmlentities — Convert all applicable characters to HTML entities - >> this will convert any semicolons not enclosed in quotes into it's html >> entity. >> >> http://php.net/manual/en/security.database.sql-injection.php >> >> Little Bobby Tables : http://php.net/manual/en/image >> s/fa7c5b5f326e3c4a6cc9db19e7edbaf0-xkcd-bobby-tables.png >> >> I do not profess to be an expert in this area. I spent a lot of time >> looking into this about 10 years ago and still feel like I need to know >> more. I'm always eager to learn more in this area. >> >> Please add your thoughts? >> >> Thanks!! >> Keith >> >> >> >> >> >> On 2016-09-14 01:41, der.hans wrote: >> >>> Am 14. Sep, 2016 schwätzte Herminio Hernandez, Jr. so: >>> >>> Should I be consern even if my SQL server is only listening on localhost? >>>> >>> >>> Depends on what you have using it. >>> >>> If it's the DB for a web site, then it's possible that SQL injection can >>> be used to modify your database. >>> >>> For instance, WordPress has lots of security issues, so it likely can be >>> exploited to use SQL injection to talk to your DB. >>> >>> ciao, >>> >>> der.hans >>> >>> On Mon, Sep 12, 2016 at 1:29 PM, Joseph Sinclair < >>>> plug-discussion@stcaz.net> >>>> wrote: >>>> >>>> FYI, minor improvement below to lock down a few edge cases (note, this >>>>> is >>>>> primarily for EXT{2,3,4} and other filesystems that support file >>>>> attributes). >>>>> You'll also need to remove the attribute manually before updating when >>>>> patches become available. >>>>> >>>>> On 09/12/2016 12:33 PM, der.hans wrote: >>>>> >>>>>> Am 12. Sep, 2016 schwätzte Herminio Hernandez Jr. so: >>>>>> >>>>>> moin moin, >>>>>> >>>>>> Basically they mirror the repos. So when it hits debian I will >>>>>>> upgrade. >>>>>>> >>>>>> >>>>>> Ah, OK. >>>>>> >>>>>> You might also want to create a couple of empty files and lock them >>>>>> down. >>>>>> >>>>>> $datadir can be exploited, so pre-emptively putting empty conf files >>>>>> in >>>>>> there that can't be changed by mysql is a good idea. >>>>>> >>>>>> The following is for anyone with questions on locking down the config >>>>>> files in $datadir. >>>>>> >>>>>> Presuming $datadir is /var/lib/mysql either of the following will lock >>>>>> down the files when run as root, but the first will destroy files you >>>>>> might already have. >>>>>> >>>>>> # >/var/lib/mysq/my.cnf >>>>>> # >/var/lib/mysq/.my.cnf >>>>>> # chmod 000 /var/lib/mysq/{.,}my.cnf >>>>>> >>>>> # chattr +i /var/lib/mysq/{.,}my.cnf >>>>> >>>>>> >>>>>> Or, with some minimal verification that it's safe... >>>>>> >>>>>> # for file in /var/lib/mysq/{.,}my.cnf; do >>>>>> if [ ! -e $file ] ; then >>>>>> >$file >>>>>> chmod 000 $file >>>>>> >>>>> chattr +i $file >>>>> >>>>>> ls -l $file >>>>>> >>>>> lsattr $file >>>>> >>>>>> else >>>>>> ls -l $file >>>>>> >>>>> lsattr $file >>>>> >>>>>> echo "You might want to check on that" >>>>>> fi >>>>>> done >>>>>> >>>>>> ciao, >>>>>> >>>>>> der.hans >>>>>> >>>>>> Sent from my iPhone >>>>>>> >>>>>>> On Sep 12, 2016, at 12:00 PM, der.hans wrote: >>>>>>>> >>>>>>>> Am 12. Sep, 2016 schwätzte Herminio Hernandez Jr. so: >>>>>>>> >>>>>>>> moin moin, >>>>>>>> >>>>>>>> Thanks have some SQL in DO droplets. Will be looking for this. >>>>>>>>> >>>>>>>> >>>>>>>> Will DigitalOcean automagically apply the patches for you? >>>>>>>> >>>>>>>> I would expect it's in their best interest. >>>>>>>> >>>>>>>> I'm certain DreamHost is already upgraded. GoDaddy is probably >>>>>>>> rolling >>>>>>>> >>>>>>> it >>>>> >>>>>> out already, but I no longer know anyone on the team over there, so am >>>>>>>> >>>>>>> not >>>>> >>>>>> sure how quick they will be. >>>>>>>> >>>>>>>> This is admittedly one of the advantages of cloud. The >>>>>>>> infrastructure >>>>>>>> providers can centrally test and roll out for everyone. The >>>>>>>> >>>>>>> disadvantage >>>>> >>>>>> is if it's something that affects you, but they don't know or care >>>>>>>> >>>>>>> about >>>>> >>>>>> it :). >>>>>>>> >>>>>>>> ciao, >>>>>>>> >>>>>>>> der.hans >>>>>>>> >>>>>>>> Sent from my iPhone >>>>>>>>> >>>>>>>>> On Sep 12, 2016, at 11:18 AM, der.hans wrote: >>>>>>>>>> >>>>>>>>>> moin moin, >>>>>>>>>> >>>>>>>>>> a MySQL remote exploit was announced this morning. Percona and >>>>>>>>>> >>>>>>>>> MariaDB >>>>> >>>>>> already have fixes that have not yet hit the distros. >>>>>>>>>> >>>>>>>>>> https://www.percona.com/blog/2016/09/12/percona-server- >>>>>>>>>> >>>>>>>>> critical-update-cve-2016-6662 >>>>> >>>>>> >>>>>>>>>> http://legalhackers.com/advisories/MySQL-Exploit- >>>>>>>>>> >>>>>>>>> Remote-Root-Code-Execution-Privesc-CVE-2016-6662.html >>>>> >>>>>> >>>>>>>>>> Watch for updates. >>>>>>>>>> >>>>>>>>>> ciao, >>>>>>>>>> >>>>>>>>>> der.hans >>>>>>>>>> -- >>>>>>>>>> # http://www.LuftHans.com/ http://www.PhxLinux.org/ >>>>>>>>>> # Fairy Tale, n.: A horror story to prepare children for the >>>>>>>>>> >>>>>>>>> newspapers. >>>>> >>>>>> --------------------------------------------------- >>>>>>>>>> PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org >>>>>>>>>> To subscribe, unsubscribe, or to change your mail settings: >>>>>>>>>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss >>>>>>>>>> >>>>>>>>> --------------------------------------------------- >>>>>>>>> PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org >>>>>>>>> To subscribe, unsubscribe, or to change your mail settings: >>>>>>>>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss >>>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> # http://www.LuftHans.com/ http://www.PhxLinux.org/ >>>>>>>> # "You go to Afghanistan and you swallow enough dust that you'll >>>>>>>> pass >>>>>>>> >>>>>>> an >>>>> >>>>>> # adobe brick." -- Robin Williams, 03Aug2006 >>>>>>>> --------------------------------------------------- >>>>>>>> PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org >>>>>>>> To subscribe, unsubscribe, or to change your mail settings: >>>>>>>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss >>>>>>>> >>>>>>> --------------------------------------------------- >>>>>>> PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org >>>>>>> To subscribe, unsubscribe, or to change your mail settings: >>>>>>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss >>>>>>> >>>>>> >>>>>> >>>>>> >>>>>> --------------------------------------------------- >>>>>> PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org >>>>>> To subscribe, unsubscribe, or to change your mail settings: >>>>>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss >>>>>> >>>>>> >>>>> >>>>> --------------------------------------------------- >>>>> PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org >>>>> To subscribe, unsubscribe, or to change your mail settings: >>>>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss >>>>> >>>>> >>>> >>> --------------------------------------------------- >>> PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org >>> To subscribe, unsubscribe, or to change your mail settings: >>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss >>> >> >> -- >> Keith Smith >> >> --------------------------------------------------- >> PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org >> To subscribe, unsubscribe, or to change your mail settings: >> http://lists.phxlinux.org/mailman/listinfo/plug-discuss >> > > > --------------------------------------------------- > PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org > To subscribe, unsubscribe, or to change your mail settings: > http://lists.phxlinux.org/mailman/listinfo/plug-discuss >