It looks like this is fixed in Debian version 5.5.52-0+deb8u1, if I am reading this page correctly.

https://security-tracker.debian.org/tracker/CVE-2016-6662

Mark

On Wed, Sep 14, 2016 at 7:55 AM, Anon Anon <lokotejones@gmail.com> wrote:
Prepared Statements are the current state of the art. Slashes and html entities are not really used in modern PHP any more.

http://www.w3schools.com/php/php_mysql_prepared_statements.asp

You should also use mod_security in Apache if that is your webserver.

https://www.howtoforge.com/apache_mod_security

You should also have an idea of what you plan to accept as input goes. A phone number doesn't need letters or symbols. A name doesn't need symbols. You should perform multiple layers or checking before passing on data from a user. If you have an input for names but they are putting in a ! symbol, you should kick out their input or verify that a Mr. Kickass!! $$CatKisser$$ is using your form.

On Wed, Sep 14, 2016 at 7:11 AM, Keith Smith <techlists@phpcoderusa.com> wrote:

I think this is a great opportunity to talk about sanitizing one's data before sending it to the DB.

There is two very easy things one can do if programming in PHP.

1) Addslashes - Returns a string with backslashes before characters that need to be escaped. These characters are single quote ('), double quote ("), backslash (\) and NUL (the NULL byte).

2) htmlentities — Convert all applicable characters to HTML entities - this will convert any semicolons not enclosed in quotes into it's html entity.

http://php.net/manual/en/security.database.sql-injection.php

Little Bobby Tables :  http://php.net/manual/en/images/fa7c5b5f326e3c4a6cc9db19e7edbaf0-xkcd-bobby-tables.png

I do not profess to be an expert in this area.  I spent a lot of time looking into this about 10 years ago and still feel like I need to know more.  I'm always eager to learn more in this area.

Please add your thoughts?

Thanks!!
Keith





On 2016-09-14 01:41, der.hans wrote:
Am 14. Sep, 2016 schwätzte Herminio Hernandez, Jr. so:

Should I be consern even if my SQL server is only listening on localhost?

Depends on what you have using it.

If it's the DB for a web site, then it's possible that SQL injection can
be used to modify your database.

For instance, WordPress has lots of security issues, so it likely can be
exploited to use SQL injection to talk to your DB.

ciao,

der.hans

On Mon, Sep 12, 2016 at 1:29 PM, Joseph Sinclair <plug-discussion@stcaz.net>
wrote:

FYI, minor improvement below to lock down a few edge cases (note, this is
primarily for EXT{2,3,4} and other filesystems that support file
attributes).
You'll also need to remove the attribute manually before updating when
patches become available.

On 09/12/2016 12:33 PM, der.hans wrote:
Am 12. Sep, 2016 schwätzte Herminio Hernandez Jr. so:

moin moin,

Basically they mirror the repos. So when it hits debian I will upgrade.

Ah, OK.

You might also want to create a couple of empty files and lock them down.

$datadir can be exploited, so pre-emptively putting empty conf files in
there that can't be changed by mysql is a good idea.

The following is for anyone with questions on locking down the config
files in $datadir.

Presuming $datadir is /var/lib/mysql either of the following will lock
down the files when run as root, but the first will destroy files you
might already have.

# >/var/lib/mysq/my.cnf
# >/var/lib/mysq/.my.cnf
# chmod 000 /var/lib/mysq/{.,}my.cnf
# chattr +i /var/lib/mysq/{.,}my.cnf

Or, with some minimal verification that it's safe...

# for file in /var/lib/mysq/{.,}my.cnf; do
    if [ ! -e $file ] ; then
       >$file
        chmod 000 $file
          chattr +i $file
        ls -l $file
          lsattr $file
    else
        ls -l $file
          lsattr $file
        echo "You might want to check on that"
    fi
done

ciao,

der.hans

Sent from my iPhone

On Sep 12, 2016, at 12:00 PM, der.hans <PLUGd@LuftHans.com> wrote:

Am 12. Sep, 2016 schwätzte Herminio Hernandez Jr. so:

moin moin,

Thanks have some SQL in DO droplets. Will be looking for this.

Will DigitalOcean automagically apply the patches for you?

I would expect it's in their best interest.

I'm certain DreamHost is already upgraded. GoDaddy is probably rolling
it
out already, but I no longer know anyone on the team over there, so am
not
sure how quick they will be.

This is admittedly one of the advantages of cloud. The infrastructure
providers can centrally test and roll out for everyone. The
disadvantage
is if it's something that affects you, but they don't know or care
about
it :).

ciao,

der.hans

Sent from my iPhone

On Sep 12, 2016, at 11:18 AM, der.hans <PLUGd@LuftHans.com> wrote:

moin moin,

a MySQL remote exploit was announced this morning. Percona and
MariaDB
already have fixes that have not yet hit the distros.

https://www.percona.com/blog/2016/09/12/percona-server-
critical-update-cve-2016-6662

http://legalhackers.com/advisories/MySQL-Exploit-
Remote-Root-Code-Execution-Privesc-CVE-2016-6662.html

Watch for updates.

ciao,

der.hans
--
http://www.LuftHans.com/        http://www.PhxLinux.org/
#  Fairy Tale, n.: A horror story to prepare children for the
newspapers.
---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org
To subscribe, unsubscribe, or to change your mail settings:
http://lists.phxlinux.org/mailman/listinfo/plug-discuss
---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org
To subscribe, unsubscribe, or to change your mail settings:
http://lists.phxlinux.org/mailman/listinfo/plug-discuss

--
http://www.LuftHans.com/        http://www.PhxLinux.org/
#  "You go to Afghanistan and you swallow enough dust that you'll pass
an
#  adobe brick." -- Robin Williams, 03Aug2006
---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org
To subscribe, unsubscribe, or to change your mail settings:
http://lists.phxlinux.org/mailman/listinfo/plug-discuss
---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org
To subscribe, unsubscribe, or to change your mail settings:
http://lists.phxlinux.org/mailman/listinfo/plug-discuss



---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org
To subscribe, unsubscribe, or to change your mail settings:
http://lists.phxlinux.org/mailman/listinfo/plug-discuss



---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org
To subscribe, unsubscribe, or to change your mail settings:
http://lists.phxlinux.org/mailman/listinfo/plug-discuss



---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org
To subscribe, unsubscribe, or to change your mail settings:
http://lists.phxlinux.org/mailman/listinfo/plug-discuss

--
Keith Smith

---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org
To subscribe, unsubscribe, or to change your mail settings:
http://lists.phxlinux.org/mailman/listinfo/plug-discuss


---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org
To subscribe, unsubscribe, or to change your mail settings:
http://lists.phxlinux.org/mailman/listinfo/plug-discuss