Displaying 20 results from an estimated 3000 matches similar to: "C5 MySQL injection attack ("Union Select")"
2016 Mar 24
3
C5 MySQL injection attack ("Union Select")
On 03/24/2016 03:54 AM, Leon Fauster wrote:
> Am 24.03.2016 um 04:21 schrieb Always Learning <centos at u64.u22.net>:
>> mysql Ver 14.12 Distrib 5.0.95, for redhat-linux-gnu (x86_64) using
>> readline 5.1
>
>
>
> Current version on C5 is mysql55, 5.0 does not get any updates anymore!
>
Let me reiterate this:
the mysql-5.0.95* packages are not supported.
2016 Mar 24
0
C5 MySQL injection attack ("Union Select")
On Wed, March 23, 2016 10:21 pm, Always Learning wrote:
> mysql Ver 14.12 Distrib 5.0.95, for redhat-linux-gnu (x86_64) using
> readline 5.1
>
>
> I spotted something strange and immediately installed a routine to
> automatically impose an iptables block when the key used for database
> access is excessively long.
Indeed. There are several flaws in how mysql handles data.
2016 Mar 24
0
C5 MySQL injection attack ("Union Select")
On 03/23/2016 08:21 PM, Always Learning wrote:
> mysql Ver 14.12 Distrib 5.0.95, for redhat-linux-gnu (x86_64) using
> readline 5.1
>
>
> I spotted something strange and immediately installed a routine to
> automatically impose an iptables block when the key used for database
> access is excessively long.
>
> My URL was something like this
>
>
2016 Mar 24
3
C5 MySQL injection attack ("Union Select")
Valeri Galtsev wrote:
>
> On Thu, March 24, 2016 9:48 am, m.roth at 5-cent.us wrote:
>> Valeri Galtsev wrote:
>>> On Wed, March 23, 2016 10:21 pm, Always Learning wrote:
>>>> mysql Ver 14.12 Distrib 5.0.95, for redhat-linux-gnu (x86_64) using
>>>> readline 5.1
>> <snip>>
>>> Indeed. There are several flaws in how mysql handles
2016 Mar 24
4
C5 MySQL injection attack ("Union Select")
Valeri Galtsev wrote:
> On Wed, March 23, 2016 10:21 pm, Always Learning wrote:
>> mysql Ver 14.12 Distrib 5.0.95, for redhat-linux-gnu (x86_64) using
>> readline 5.1
<snip>>
> Indeed. There are several flaws in how mysql handles data. This is why to
Ok, do you have a link or two to info about that?
> the best of my ability I am trying to avoid mysql, and use
2016 Mar 24
2
C5 MySQL injection attack ("Union Select")
On Thu, 2016-03-24 at 04:08 -0700, Alice Wonder wrote:
> Always use parameterized statements (aka prepared statements) for SQL
> that involves untrusted input.
>
> I like to use them even for input that involves trusted input because it
> is easy to make a change in my code and not think about how it impacts
> the parameters.
>
> -=-
>
> This is an attack on
2016 Mar 24
0
C5 MySQL injection attack ("Union Select")
Am 24.03.2016 um 04:21 schrieb Always Learning <centos at u64.u22.net>:
> mysql Ver 14.12 Distrib 5.0.95, for redhat-linux-gnu (x86_64) using
> readline 5.1
Current version on C5 is mysql55, 5.0 does not get any updates anymore!
--
LF
2015 Aug 17
3
C5 recent openssl update breaks mysql SSL connection
I recently applied updates to a CentOS 5 box running MySQL. I've discovered
that the new version of openssl, 0.9.8e-36.0.1.el5_11, breaks MySQL SSL
connections.
If I rename /lib/libssl.so.0.9.8e and replace it with the old version of
that file from openssl-0.9.8e-27.el5_10.1 (not sure if that is the next
oldest, but it was handy), then SSL connection to MySQL works again.
I then performed
2016 Mar 24
1
C5 MySQL injection attack ("Union Select")
On Thu, March 24, 2016 10:32 am, Alice Wonder wrote:
> On 03/24/2016 08:28 AM, m.roth at 5-cent.us wrote:
>> Valeri Galtsev wrote:
>>>
>>> On Thu, March 24, 2016 9:48 am, m.roth at 5-cent.us wrote:
>>>> Valeri Galtsev wrote:
>>>>> On Wed, March 23, 2016 10:21 pm, Always Learning wrote:
>>>>>> mysql Ver 14.12 Distrib 5.0.95,
2015 Aug 17
2
C5 recent openssl update breaks mysql SSL connection
On 08/17/2015 11:19 AM, Johnny Hughes wrote:
> On 08/17/2015 10:57 AM, Tony Mountifield wrote:
>> I recently applied updates to a CentOS 5 box running MySQL. I've discovered
>> that the new version of openssl, 0.9.8e-36.0.1.el5_11, breaks MySQL SSL
>> connections.
>>
>> If I rename /lib/libssl.so.0.9.8e and replace it with the old version of
>> that file
2016 Mar 24
0
C5 MySQL injection attack ("Union Select")
On Thu, March 24, 2016 9:48 am, m.roth at 5-cent.us wrote:
> Valeri Galtsev wrote:
>> On Wed, March 23, 2016 10:21 pm, Always Learning wrote:
>>> mysql Ver 14.12 Distrib 5.0.95, for redhat-linux-gnu (x86_64) using
>>> readline 5.1
> <snip>>
>> Indeed. There are several flaws in how mysql handles data. This is why
>> to
>
> Ok, do you have a
2016 Mar 24
0
C5 MySQL injection attack ("Union Select")
On 03/24/2016 08:28 AM, m.roth at 5-cent.us wrote:
> Valeri Galtsev wrote:
>>
>> On Thu, March 24, 2016 9:48 am, m.roth at 5-cent.us wrote:
>>> Valeri Galtsev wrote:
>>>> On Wed, March 23, 2016 10:21 pm, Always Learning wrote:
>>>>> mysql Ver 14.12 Distrib 5.0.95, for redhat-linux-gnu (x86_64) using
>>>>> readline 5.1
>>>
2016 Mar 24
0
C5 MySQL injection attack ("Union Select")
On Thu, 2016-03-24 at 10:48 -0500, Johnny Hughes wrote:
> I guarantee that the 5.0.95 packages have security issues. Here is how
> to move to the newer mysql55 packages:
>
> http://red.ht/1pAcb7q
>
> I can't stress enough, mysql-5.0 on el5 is absolutely not updated
> security wise. The last update to it happened on 22-Jan-2013 and was in
> CentOS-5.9 .. we are now
2016 Mar 24
1
C5 MySQL injection attack ("Union Select")
> Be careful with WordPress - it's database handler doesn't actually use
> parameterized statements, it emulates them with printf - one (of many)
> reasons I do not like the product.
This is a rather controversial statement. There's nothing wrong with
using sprintf when building sql queries. Besides
"Using a prepared statement is not always the most efficient way of
2016 Mar 24
1
C5 MySQL injection attack ("Union Select")
On Thu, Mar 24, 2016 at 9:08 AM, Always Learning <centos at u64.u22.net> wrote:
>> I can't stress enough, mysql-5.0 on el5 is absolutely not updated
>> security wise.
>
> Thanks. Reading it now.
Just to be clear: you absolutely should upgrade to a currently
maintained version of MySQL.
However, upgrading will not protect you from SQL injection attacks.
The probes
2016 Mar 24
0
C5 MySQL injection attack ("Union Select")
This is obviously an application level problem. What is this php file?
You should upgrade wordpress and remove or block access to the plugin or
custom page which allows sql injections.
2016 Mar 24
0
C5 MySQL injection attack ("Union Select")
On 03/24/2016 07:33 AM, Always Learning wrote:
*snip*
>
> Thank you. That server is the last production server on C5. I need to
> shift it to C6 and Maria 10.
>
> I am 'always learning' security is a perpetual task. Thankfully I always
> read the daily logs and reports (an arduous task).
>
> Many thanks.
>
I would shift to CentOS 7.
Always deploy the latest
2016 Mar 24
2
C5 MySQL injection attack ("Union Select")
On Thu, 2016-03-24 at 14:27 +0300, ????????? ???????? wrote:
> This is obviously an application level problem. What is this php file?
> You should upgrade wordpress and remove or block access to the plugin or
> custom page which allows sql injections.
Yes, my mistake. I should have imposed strict controls on the length of
parameters passed to programmes via web pages $_GET[] such as:-
2016 Mar 24
0
C5 MySQL injection attack ("Union Select")
On 03/24/2016 07:57 AM, Always Learning wrote:
> I should have imposed strict controls on the length of
> parameters passed to programmes via web pages $_GET[] such as...
> and reject any incoming string containing ' or " in addition to PHP's
> strip_tags and (deprecated in later versions)
> mysql_real_escape_string($_GET['....'],$link);
No. No. Nooooooooo.
2016 Mar 24
1
C5 MySQL injection attack ("Union Select")
On Thu, 2016-03-24 at 09:18 -0700, Gordon Messmer wrote:
> On 03/24/2016 07:57 AM, Always Learning wrote:
> > I should have imposed strict controls on the length of
> > parameters passed to programmes via web pages $_GET[] such as...
> > and reject any incoming string containing ' or " in addition to PHP's
> > strip_tags and (deprecated in later versions)