Re: MySQL remote exploit

Top Page
Attachments:
Message as email
+ (text/plain)
Delete this message
Reply to this message
Author: Keith Smith
Date:  
To: Main PLUG discussion list
CC: der.hans
Subject: Re: MySQL remote exploit

I think this is a great opportunity to talk about sanitizing one's data
before sending it to the DB.

There is two very easy things one can do if programming in PHP.

1) Addslashes - Returns a string with backslashes before characters that
need to be escaped. These characters are single quote ('), double quote
("), backslash (\) and NUL (the NULL byte).

2) htmlentities — Convert all applicable characters to HTML entities -
this will convert any semicolons not enclosed in quotes into it's html
entity.

http://php.net/manual/en/security.database.sql-injection.php

Little Bobby Tables :
http://php.net/manual/en/images/fa7c5b5f326e3c4a6cc9db19e7edbaf0-xkcd-bobby-tables.png

I do not profess to be an expert in this area. I spent a lot of time
looking into this about 10 years ago and still feel like I need to know
more. I'm always eager to learn more in this area.

Please add your thoughts?

Thanks!!
Keith




On 2016-09-14 01:41, der.hans wrote:
> Am 14. Sep, 2016 schwätzte Herminio Hernandez, Jr. so:
>
>> Should I be consern even if my SQL server is only listening on
>> localhost?
>
> Depends on what you have using it.
>
> If it's the DB for a web site, then it's possible that SQL injection
> can
> be used to modify your database.
>
> For instance, WordPress has lots of security issues, so it likely can
> be
> exploited to use SQL injection to talk to your DB.
>
> ciao,
>
> der.hans
>
>> On Mon, Sep 12, 2016 at 1:29 PM, Joseph Sinclair
>> <>
>> wrote:
>>
>>> FYI, minor improvement below to lock down a few edge cases (note,
>>> this is
>>> primarily for EXT{2,3,4} and other filesystems that support file
>>> attributes).
>>> You'll also need to remove the attribute manually before updating
>>> when
>>> patches become available.
>>>
>>> On 09/12/2016 12:33 PM, der.hans wrote:
>>>> Am 12. Sep, 2016 schwätzte Herminio Hernandez Jr. so:
>>>>
>>>> moin moin,
>>>>
>>>>> Basically they mirror the repos. So when it hits debian I will
>>>>> upgrade.
>>>>
>>>> Ah, OK.
>>>>
>>>> You might also want to create a couple of empty files and lock them
>>>> down.
>>>>
>>>> $datadir can be exploited, so pre-emptively putting empty conf files
>>>> in
>>>> there that can't be changed by mysql is a good idea.
>>>>
>>>> The following is for anyone with questions on locking down the
>>>> config
>>>> files in $datadir.
>>>>
>>>> Presuming $datadir is /var/lib/mysql either of the following will
>>>> lock
>>>> down the files when run as root, but the first will destroy files
>>>> you
>>>> might already have.
>>>>
>>>> # >/var/lib/mysq/my.cnf
>>>> # >/var/lib/mysq/.my.cnf
>>>> # chmod 000 /var/lib/mysq/{.,}my.cnf
>>> # chattr +i /var/lib/mysq/{.,}my.cnf
>>>>
>>>> Or, with some minimal verification that it's safe...
>>>>
>>>> # for file in /var/lib/mysq/{.,}my.cnf; do
>>>>     if [ ! -e $file ] ; then
>>>>        >$file
>>>>         chmod 000 $file
>>>           chattr +i $file
>>>>         ls -l $file
>>>           lsattr $file
>>>>     else
>>>>         ls -l $file
>>>           lsattr $file
>>>>         echo "You might want to check on that"
>>>>     fi
>>>> done

>>>>
>>>> ciao,
>>>>
>>>> der.hans
>>>>
>>>>> Sent from my iPhone
>>>>>
>>>>>> On Sep 12, 2016, at 12:00 PM, der.hans <> wrote:
>>>>>>
>>>>>> Am 12. Sep, 2016 schwätzte Herminio Hernandez Jr. so:
>>>>>>
>>>>>> moin moin,
>>>>>>
>>>>>>> Thanks have some SQL in DO droplets. Will be looking for this.
>>>>>>
>>>>>> Will DigitalOcean automagically apply the patches for you?
>>>>>>
>>>>>> I would expect it's in their best interest.
>>>>>>
>>>>>> I'm certain DreamHost is already upgraded. GoDaddy is probably
>>>>>> rolling
>>> it
>>>>>> out already, but I no longer know anyone on the team over there,
>>>>>> so am
>>> not
>>>>>> sure how quick they will be.
>>>>>>
>>>>>> This is admittedly one of the advantages of cloud. The
>>>>>> infrastructure
>>>>>> providers can centrally test and roll out for everyone. The
>>> disadvantage
>>>>>> is if it's something that affects you, but they don't know or care
>>> about
>>>>>> it :).
>>>>>>
>>>>>> ciao,
>>>>>>
>>>>>> der.hans
>>>>>>
>>>>>>> Sent from my iPhone
>>>>>>>
>>>>>>>> On Sep 12, 2016, at 11:18 AM, der.hans <>
>>>>>>>> wrote:
>>>>>>>>
>>>>>>>> moin moin,
>>>>>>>>
>>>>>>>> a MySQL remote exploit was announced this morning. Percona and
>>> MariaDB
>>>>>>>> already have fixes that have not yet hit the distros.
>>>>>>>>
>>>>>>>> https://www.percona.com/blog/2016/09/12/percona-server-
>>> critical-update-cve-2016-6662
>>>>>>>>
>>>>>>>> http://legalhackers.com/advisories/MySQL-Exploit-
>>> Remote-Root-Code-Execution-Privesc-CVE-2016-6662.html
>>>>>>>>
>>>>>>>> Watch for updates.
>>>>>>>>
>>>>>>>> ciao,
>>>>>>>>
>>>>>>>> der.hans
>>>>>>>> --
>>>>>>>> #  http://www.LuftHans.com/        http://www.PhxLinux.org/
>>>>>>>> #  Fairy Tale, n.: A horror story to prepare children for the
>>> newspapers.
>>>>>>>> ---------------------------------------------------
>>>>>>>> PLUG-discuss mailing list - 
>>>>>>>> To subscribe, unsubscribe, or to change your mail settings:
>>>>>>>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>>>>>> ---------------------------------------------------
>>>>>>> PLUG-discuss mailing list - 
>>>>>>> To subscribe, unsubscribe, or to change your mail settings:
>>>>>>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss

>>>>>>
>>>>>> --
>>>>>> #  http://www.LuftHans.com/        http://www.PhxLinux.org/
>>>>>> #  "You go to Afghanistan and you swallow enough dust that you'll 
>>>>>> pass
>>> an
>>>>>> #  adobe brick." -- Robin Williams, 03Aug2006
>>>>>> ---------------------------------------------------
>>>>>> PLUG-discuss mailing list - 
>>>>>> To subscribe, unsubscribe, or to change your mail settings:
>>>>>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>>>> ---------------------------------------------------
>>>>> PLUG-discuss mailing list - 
>>>>> To subscribe, unsubscribe, or to change your mail settings:
>>>>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss

>>>>
>>>>
>>>>
>>>> ---------------------------------------------------
>>>> PLUG-discuss mailing list -
>>>> To subscribe, unsubscribe, or to change your mail settings:
>>>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>>>
>>>
>>>
>>> ---------------------------------------------------
>>> PLUG-discuss mailing list -
>>> To subscribe, unsubscribe, or to change your mail settings:
>>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>>
>>
>
> ---------------------------------------------------
> PLUG-discuss mailing list -
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.phxlinux.org/mailman/listinfo/plug-discuss


--
Keith Smith
---------------------------------------------------
PLUG-discuss mailing list -
To subscribe, unsubscribe, or to change your mail settings:
http://lists.phxlinux.org/mailman/listinfo/plug-discuss