[CentOS] C5 MySQL injection attack ("Union Select")

m.roth at 5-cent.us m.roth at 5-cent.us
Thu Mar 24 15:28:07 UTC 2016


Valeri Galtsev wrote:
>
> On Thu, March 24, 2016 9:48 am, m.roth at 5-cent.us wrote:
>> Valeri Galtsev wrote:
>>> On Wed, March 23, 2016 10:21 pm, Always Learning wrote:
>>>> mysql  Ver 14.12 Distrib 5.0.95, for redhat-linux-gnu (x86_64) using
>>>> readline 5.1
>> <snip>>
>>> Indeed. There are several flaws in how mysql handles data. This is why
>>
>> Ok, do you have a link or two to info about that?
>
> Mark, you seemed to snip away the link to presentation on youtube :
>
> https://www.youtube.com/watch?v=1PoFIohBSM4
>
Oh. I really dislike videos of people explaining something I could read,
if they'd just typed it up.... (I mean the author, not you). But I suppose
I'll watch it.
<snip>
>> We seem to be moving to postgresql.
>
> Great!
>
>> I find I do not like it - it's much
>> more of a pain to work with than mysql is. Do you have any opinions
>> about meria d/b? Are there improvements over the flaws you're aware
>> of with mysql?
>
> Mariadb being a fork of mysql likely inherited mysql's "inconsistencies".
> Not that I would say mysql (and mariadb surely) folks are not working on
> improvements. E.g., the default installation of latest mysql does not have
> any accounts with empty password (I was weeding these away for years with
> every new installation of mysql. Oh, well, maybe I'm wrong, as this I just
> had seen fixed on FreeBSD, so it is possible that package maintainer did
> this nice cleaning). I'm not the one who can have any opinion on something
>  (mariadb) which he doesn't use, still...

Well, remember that it was forked after the Evil Empire took over mysql. I
just wonder if Oracle is *not* fixing some security issues... because they
obviously want you to "fix" that problem by simply buying Oracle. With
that train of thought, that's why I'm wondering if the mariad/b team *is*
fixing the issues.

      mark




More information about the CentOS mailing list