DaemonForums  

Go Back   DaemonForums > DaemonForums.org > News

News News regarding BSD and related.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 28th March 2011
Carpetsmoker's Avatar
Carpetsmoker Carpetsmoker is offline
Real Name: Martin
Old man from scene 24
 
Join Date: Apr 2008
Location: Eindhoven, Netherlands
Posts: 2,088
Thanked 198 Times in 156 Posts
Default MySQL allegedly hacked - via SQL injection

http://www.h-online.com/security/new...n-1216281.html

Quote:
The hacker says the vulnerability is a blind SQL injection problem. This is a worst case scenario for a web server because the flaw allows access to the entire database behind a public-facing website. SQL injections are possible when SQL commands can be embedded in user input so that Web servers pass them on to the database.
__________________
UNIX was not designed to stop you from doing stupid things, because that would also stop you from doing clever things.
Reply With Quote
  #2   (View Single Post)  
Old 28th March 2011
vermaden's Avatar
vermaden vermaden is offline
Administrator
 
Join Date: Apr 2008
Location: pl_PL.lodz
Posts: 1,052
Thanked 118 Times in 93 Posts
Default

I am curious if one of the Hiawatha webserver features (SQL injection prevention) can prevent from such hole: http://www.hiawatha-webserver.org/features
__________________
religions, worst damnation of mankind
"If 386BSD had been available when I started on Linux, Linux would probably never had happened." Linus Torvalds

Linux is not UNIX! Face it! It is not an insult. It is fact: GNU is a recursive acronym for “GNU's Not UNIX”.
vermaden's: links resources deviantart spreadbsd
Reply With Quote
  #3   (View Single Post)  
Old 28th March 2011
Carpetsmoker's Avatar
Carpetsmoker Carpetsmoker is offline
Real Name: Martin
Old man from scene 24
 
Join Date: Apr 2008
Location: Eindhoven, Netherlands
Posts: 2,088
Thanked 198 Times in 156 Posts
Default

From the manpage:

Quote:
PreventSQLi = yes|no
Prevent SQL-injection by placing a slash before every single-quote in the URL, POST-data and cookie. This is the same as PHP's magic-quotes. You should only use this option if such automated escaping is not already being done. Writing safe code is of course better. Note that this option can break up the uploading of binaries, like images. See also BanOnSQLi.
Default = no, example: PreventSQLi = yes
So basically, no

What I do is write a "wrapper" function instead of calling the "bare" mysql_query() or cursor.execute() directly.

A more useful feature of hiawatha BTW:
Quote:
PreventXSS = yes|no
Prevent cross-site scripting by replacing a less-then, greater-then, quote or double-quote in the URL with an underscore.
Default = no, example: PreventXSS = yes
Hiawatha is also more strict in interpreting the HTTP standard, so malformed (potentially abusive) requests are rejected.
__________________
UNIX was not designed to stop you from doing stupid things, because that would also stop you from doing clever things.
Reply With Quote
  #4   (View Single Post)  
Old 29th March 2011
vermaden's Avatar
vermaden vermaden is offline
Administrator
 
Join Date: Apr 2008
Location: pl_PL.lodz
Posts: 1,052
Thanked 118 Times in 93 Posts
Default

Ok, thanks mate.
__________________
religions, worst damnation of mankind
"If 386BSD had been available when I started on Linux, Linux would probably never had happened." Linus Torvalds

Linux is not UNIX! Face it! It is not an insult. It is fact: GNU is a recursive acronym for “GNU's Not UNIX”.
vermaden's: links resources deviantart spreadbsd
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Am I being hacked? newbsdied OpenBSD Security 14 6th November 2010 10:41 PM
Kobil smartcard reader hacked J65nko News 0 4th June 2010 12:50 PM
portability to allegedly byte compatable but non-i386 CPUs jimbus FreeBSD Installation and Upgrading 2 23rd September 2008 04:03 AM
mysql on freebsd 7 nijikon FreeBSD General 0 20th May 2008 12:47 PM
mysql using >100% cpu bdj FreeBSD General 5 16th May 2008 04:20 PM


All times are GMT. The time now is 08:47 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick