similar to: C5 MySQL injection attack ("Union Select")

On 03/24/2016 03:54 AM, Leon Fauster wrote: > Am 24.03.2016 um 04:21 schrieb Always Learning <centos at u64.u22.net>: >> mysql Ver 14.12 Distrib 5.0.95, for redhat-linux-gnu (x86_64) using >> readline 5.1 > > > > Current version on C5 is mysql55, 5.0 does not get any updates anymore! > Let me reiterate this: the mysql-5.0.95* packages are not supported.

On Wed, March 23, 2016 10:21 pm, Always Learning wrote: > mysql Ver 14.12 Distrib 5.0.95, for redhat-linux-gnu (x86_64) using > readline 5.1 > > > I spotted something strange and immediately installed a routine to > automatically impose an iptables block when the key used for database > access is excessively long. Indeed. There are several flaws in how mysql handles data.

On 03/23/2016 08:21 PM, Always Learning wrote: > mysql Ver 14.12 Distrib 5.0.95, for redhat-linux-gnu (x86_64) using > readline 5.1 > > > I spotted something strange and immediately installed a routine to > automatically impose an iptables block when the key used for database > access is excessively long. > > My URL was something like this > >

Valeri Galtsev wrote: > > On Thu, March 24, 2016 9:48 am, m.roth at 5-cent.us wrote: >> Valeri Galtsev wrote: >>> On Wed, March 23, 2016 10:21 pm, Always Learning wrote: >>>> mysql Ver 14.12 Distrib 5.0.95, for redhat-linux-gnu (x86_64) using >>>> readline 5.1 >> <snip>> >>> Indeed. There are several flaws in how mysql handles

Valeri Galtsev wrote: > On Wed, March 23, 2016 10:21 pm, Always Learning wrote: >> mysql Ver 14.12 Distrib 5.0.95, for redhat-linux-gnu (x86_64) using >> readline 5.1 <snip>> > Indeed. There are several flaws in how mysql handles data. This is why to Ok, do you have a link or two to info about that? > the best of my ability I am trying to avoid mysql, and use

On Thu, 2016-03-24 at 04:08 -0700, Alice Wonder wrote: > Always use parameterized statements (aka prepared statements) for SQL > that involves untrusted input. > > I like to use them even for input that involves trusted input because it > is easy to make a change in my code and not think about how it impacts > the parameters. > > -=- > > This is an attack on

Am 24.03.2016 um 04:21 schrieb Always Learning <centos at u64.u22.net>: > mysql Ver 14.12 Distrib 5.0.95, for redhat-linux-gnu (x86_64) using > readline 5.1 Current version on C5 is mysql55, 5.0 does not get any updates anymore! -- LF

I recently applied updates to a CentOS 5 box running MySQL. I've discovered that the new version of openssl, 0.9.8e-36.0.1.el5_11, breaks MySQL SSL connections. If I rename /lib/libssl.so.0.9.8e and replace it with the old version of that file from openssl-0.9.8e-27.el5_10.1 (not sure if that is the next oldest, but it was handy), then SSL connection to MySQL works again. I then performed

On Thu, March 24, 2016 10:32 am, Alice Wonder wrote: > On 03/24/2016 08:28 AM, m.roth at 5-cent.us wrote: >> Valeri Galtsev wrote: >>> >>> On Thu, March 24, 2016 9:48 am, m.roth at 5-cent.us wrote: >>>> Valeri Galtsev wrote: >>>>> On Wed, March 23, 2016 10:21 pm, Always Learning wrote: >>>>>> mysql Ver 14.12 Distrib 5.0.95,

On 08/17/2015 11:19 AM, Johnny Hughes wrote: > On 08/17/2015 10:57 AM, Tony Mountifield wrote: >> I recently applied updates to a CentOS 5 box running MySQL. I've discovered >> that the new version of openssl, 0.9.8e-36.0.1.el5_11, breaks MySQL SSL >> connections. >> >> If I rename /lib/libssl.so.0.9.8e and replace it with the old version of >> that file

On Thu, March 24, 2016 9:48 am, m.roth at 5-cent.us wrote: > Valeri Galtsev wrote: >> On Wed, March 23, 2016 10:21 pm, Always Learning wrote: >>> mysql Ver 14.12 Distrib 5.0.95, for redhat-linux-gnu (x86_64) using >>> readline 5.1 > <snip>> >> Indeed. There are several flaws in how mysql handles data. This is why >> to > > Ok, do you have a

On 03/24/2016 08:28 AM, m.roth at 5-cent.us wrote: > Valeri Galtsev wrote: >> >> On Thu, March 24, 2016 9:48 am, m.roth at 5-cent.us wrote: >>> Valeri Galtsev wrote: >>>> On Wed, March 23, 2016 10:21 pm, Always Learning wrote: >>>>> mysql Ver 14.12 Distrib 5.0.95, for redhat-linux-gnu (x86_64) using >>>>> readline 5.1 >>>

On Thu, 2016-03-24 at 10:48 -0500, Johnny Hughes wrote: > I guarantee that the 5.0.95 packages have security issues. Here is how > to move to the newer mysql55 packages: > > http://red.ht/1pAcb7q > > I can't stress enough, mysql-5.0 on el5 is absolutely not updated > security wise. The last update to it happened on 22-Jan-2013 and was in > CentOS-5.9 .. we are now

> Be careful with WordPress - it's database handler doesn't actually use > parameterized statements, it emulates them with printf - one (of many) > reasons I do not like the product. This is a rather controversial statement. There's nothing wrong with using sprintf when building sql queries. Besides "Using a prepared statement is not always the most efficient way of

On Thu, Mar 24, 2016 at 9:08 AM, Always Learning <centos at u64.u22.net> wrote: >> I can't stress enough, mysql-5.0 on el5 is absolutely not updated >> security wise. > > Thanks. Reading it now. Just to be clear: you absolutely should upgrade to a currently maintained version of MySQL. However, upgrading will not protect you from SQL injection attacks. The probes

This is obviously an application level problem. What is this php file? You should upgrade wordpress and remove or block access to the plugin or custom page which allows sql injections.

On 03/24/2016 07:33 AM, Always Learning wrote: *snip* > > Thank you. That server is the last production server on C5. I need to > shift it to C6 and Maria 10. > > I am 'always learning' security is a perpetual task. Thankfully I always > read the daily logs and reports (an arduous task). > > Many thanks. > I would shift to CentOS 7. Always deploy the latest

On Thu, 2016-03-24 at 14:27 +0300, ????????? ???????? wrote: > This is obviously an application level problem. What is this php file? > You should upgrade wordpress and remove or block access to the plugin or > custom page which allows sql injections. Yes, my mistake. I should have imposed strict controls on the length of parameters passed to programmes via web pages $_GET[] such as:-

On 03/24/2016 07:57 AM, Always Learning wrote: > I should have imposed strict controls on the length of > parameters passed to programmes via web pages $_GET[] such as... > and reject any incoming string containing ' or " in addition to PHP's > strip_tags and (deprecated in later versions) > mysql_real_escape_string($_GET['....'],$link); No. No. Nooooooooo.

On Thu, 2016-03-24 at 09:18 -0700, Gordon Messmer wrote: > On 03/24/2016 07:57 AM, Always Learning wrote: > > I should have imposed strict controls on the length of > > parameters passed to programmes via web pages $_GET[] such as... > > and reject any incoming string containing ' or " in addition to PHP's > > strip_tags and (deprecated in later versions)