m.roth at 5-cent.us
2016-Mar-24 15:28 UTC
[CentOS] C5 MySQL injection attack ("Union Select")
Valeri Galtsev wrote:> > On Thu, March 24, 2016 9:48 am, m.roth at 5-cent.us wrote: >> Valeri Galtsev wrote: >>> On Wed, March 23, 2016 10:21 pm, Always Learning wrote: >>>> mysql Ver 14.12 Distrib 5.0.95, for redhat-linux-gnu (x86_64) using >>>> readline 5.1 >> <snip>> >>> Indeed. There are several flaws in how mysql handles data. This is why >> >> Ok, do you have a link or two to info about that? > > Mark, you seemed to snip away the link to presentation on youtube : > > https://www.youtube.com/watch?v=1PoFIohBSM4 >Oh. I really dislike videos of people explaining something I could read, if they'd just typed it up.... (I mean the author, not you). But I suppose I'll watch it. <snip>>> We seem to be moving to postgresql. > > Great! > >> I find I do not like it - it's much >> more of a pain to work with than mysql is. Do you have any opinions >> about meria d/b? Are there improvements over the flaws you're aware >> of with mysql? > > Mariadb being a fork of mysql likely inherited mysql's "inconsistencies". > Not that I would say mysql (and mariadb surely) folks are not working on > improvements. E.g., the default installation of latest mysql does not have > any accounts with empty password (I was weeding these away for years with > every new installation of mysql. Oh, well, maybe I'm wrong, as this I just > had seen fixed on FreeBSD, so it is possible that package maintainer did > this nice cleaning). I'm not the one who can have any opinion on something > (mariadb) which he doesn't use, still...Well, remember that it was forked after the Evil Empire took over mysql. I just wonder if Oracle is *not* fixing some security issues... because they obviously want you to "fix" that problem by simply buying Oracle. With that train of thought, that's why I'm wondering if the mariad/b team *is* fixing the issues. mark
On 03/24/2016 08:28 AM, m.roth at 5-cent.us wrote:> Valeri Galtsev wrote: >> >> On Thu, March 24, 2016 9:48 am, m.roth at 5-cent.us wrote: >>> Valeri Galtsev wrote: >>>> On Wed, March 23, 2016 10:21 pm, Always Learning wrote: >>>>> mysql Ver 14.12 Distrib 5.0.95, for redhat-linux-gnu (x86_64) using >>>>> readline 5.1 >>> <snip>> >>>> Indeed. There are several flaws in how mysql handles data. This is why >>> >>> Ok, do you have a link or two to info about that? >> >> Mark, you seemed to snip away the link to presentation on youtube : >> >> https://www.youtube.com/watch?v=1PoFIohBSM4 >> > Oh. I really dislike videos of people explaining something I could read, > if they'd just typed it up.... (I mean the author, not you). But I suppose > I'll watch it.I'm with you there. It is getting worse because people are trying to monetize it with the ads that YouTube plays first. But you can't scan it, easily move back when you need to, etc. I wish more online help and tutorials were text like they use to be.
On Thu, March 24, 2016 10:32 am, Alice Wonder wrote:> On 03/24/2016 08:28 AM, m.roth at 5-cent.us wrote: >> Valeri Galtsev wrote: >>> >>> On Thu, March 24, 2016 9:48 am, m.roth at 5-cent.us wrote: >>>> Valeri Galtsev wrote: >>>>> On Wed, March 23, 2016 10:21 pm, Always Learning wrote: >>>>>> mysql Ver 14.12 Distrib 5.0.95, for redhat-linux-gnu (x86_64) using >>>>>> readline 5.1 >>>> <snip>> >>>>> Indeed. There are several flaws in how mysql handles data. This is >>>>> why >>>> >>>> Ok, do you have a link or two to info about that? >>> >>> Mark, you seemed to snip away the link to presentation on youtube : >>> >>> https://www.youtube.com/watch?v=1PoFIohBSM4 >>> >> Oh. I really dislike videos of people explaining something I could read, >> if they'd just typed it up.... (I mean the author, not you). But I >> suppose >> I'll watch it. > > I'm with you there. It is getting worse because people are trying to > monetize it with the ads that YouTube plays first. > > But you can't scan it, easily move back when you need to, etc. > > I wish more online help and tutorials were text like they use to be.I agree with you both, gentlemen. But I gave the link I had handy. It is kind of laziness on my part, I admit: I decided to not invest into search of convenient equivalent, and gave something I already had reference to, letting those who are interested find out either from this video or find better - readable - source. If someone finds better source, I would appreciate it. As my users will benefit if I refer them to better digestible presentation. Thanks in advance! Valeri ++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++
On Thu, March 24, 2016 10:28 am, m.roth at 5-cent.us wrote:> Valeri Galtsev wrote: >> >> On Thu, March 24, 2016 9:48 am, m.roth at 5-cent.us wrote: >>> Valeri Galtsev wrote: >>>> On Wed, March 23, 2016 10:21 pm, Always Learning wrote: >>>>> mysql Ver 14.12 Distrib 5.0.95, for redhat-linux-gnu (x86_64) using >>>>> readline 5.1 >>> <snip>> >>>> Indeed. There are several flaws in how mysql handles data. This is why >>> >>> Ok, do you have a link or two to info about that? >> >> Mark, you seemed to snip away the link to presentation on youtube : >> >> https://www.youtube.com/watch?v=1PoFIohBSM4 >> > Oh. I really dislike videos of people explaining something I could read, > if they'd just typed it up.... (I mean the author, not you). But I suppose > I'll watch it. > <snip> >>> We seem to be moving to postgresql. >> >> Great! >> >>> I find I do not like it - it's much >>> more of a pain to work with than mysql is. Do you have any opinions >>> about meria d/b? Are there improvements over the flaws you're aware >>> of with mysql? >> >> Mariadb being a fork of mysql likely inherited mysql's >> "inconsistencies". >> Not that I would say mysql (and mariadb surely) folks are not working on >> improvements. E.g., the default installation of latest mysql does not >> have >> any accounts with empty password (I was weeding these away for years >> with >> every new installation of mysql. Oh, well, maybe I'm wrong, as this I >> just >> had seen fixed on FreeBSD, so it is possible that package maintainer did >> this nice cleaning). I'm not the one who can have any opinion on >> something >> (mariadb) which he doesn't use, still... > > Well, remember that it was forked after the Evil Empire took over mysql. I > just wonder if Oracle is *not* fixing some security issues... because they > obviously want you to "fix" that problem by simply buying Oracle. With > that train of thought, that's why I'm wondering if the mariad/b team *is* > fixing the issues.I was going to add the following, and I didn't. This actually is not about mysql or mariadb vs postgresql, but more about one's general approach to what you will choose. Way back when there were continuing security issues with sendmail (which were being promptly fixed, still...) I was looking for what I could use as mail server software. And I chose postfix, as it was architectured from the very beginning with security in mind. There probably will be no often need of fixing issues, as from the very beginning the code was created so to have as minimal number of potential issues as possible. I don't invite into jumping in discussion about variety of particular MTA etc. I was just trying to say in general: something better written from the very beginning vs something that needs many fixes. The last, BTW, will more likely make you suffering down the road because of the change of internals with upgrade to next version etc. I hope I managed to convey the thought... Valeri ++++++++++++++++++++++++++++++++++++++++ Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247 ++++++++++++++++++++++++++++++++++++++++