[CentOS] C5 MySQL injection attack ("Union Select")

Thu Mar 24 16:05:51 UTC 2016
Valeri Galtsev <galtsev at kicp.uchicago.edu>

On Thu, March 24, 2016 10:28 am, m.roth at 5-cent.us wrote:
> Valeri Galtsev wrote:
>>
>> On Thu, March 24, 2016 9:48 am, m.roth at 5-cent.us wrote:
>>> Valeri Galtsev wrote:
>>>> On Wed, March 23, 2016 10:21 pm, Always Learning wrote:
>>>>> mysql  Ver 14.12 Distrib 5.0.95, for redhat-linux-gnu (x86_64) using
>>>>> readline 5.1
>>> <snip>>
>>>> Indeed. There are several flaws in how mysql handles data. This is why
>>>
>>> Ok, do you have a link or two to info about that?
>>
>> Mark, you seemed to snip away the link to presentation on youtube :
>>
>> https://www.youtube.com/watch?v=1PoFIohBSM4
>>
> Oh. I really dislike videos of people explaining something I could read,
> if they'd just typed it up.... (I mean the author, not you). But I suppose
> I'll watch it.
> <snip>
>>> We seem to be moving to postgresql.
>>
>> Great!
>>
>>> I find I do not like it - it's much
>>> more of a pain to work with than mysql is. Do you have any opinions
>>> about meria d/b? Are there improvements over the flaws you're aware
>>> of with mysql?
>>
>> Mariadb being a fork of mysql likely inherited mysql's
>> "inconsistencies".
>> Not that I would say mysql (and mariadb surely) folks are not working on
>> improvements. E.g., the default installation of latest mysql does not
>> have
>> any accounts with empty password (I was weeding these away for years
>> with
>> every new installation of mysql. Oh, well, maybe I'm wrong, as this I
>> just
>> had seen fixed on FreeBSD, so it is possible that package maintainer did
>> this nice cleaning). I'm not the one who can have any opinion on
>> something
>>  (mariadb) which he doesn't use, still...
>
> Well, remember that it was forked after the Evil Empire took over mysql. I
> just wonder if Oracle is *not* fixing some security issues... because they
> obviously want you to "fix" that problem by simply buying Oracle. With
> that train of thought, that's why I'm wondering if the mariad/b team *is*
> fixing the issues.

I was going to add the following, and I didn't. This actually is not about
mysql or mariadb vs postgresql, but more about one's general approach to
what you will choose. Way back when there were continuing security issues
with sendmail (which were being promptly fixed, still...) I was looking
for what I could use as mail server software. And I chose postfix, as it
was architectured from the very beginning with security in mind. There
probably will be no often need of fixing issues, as from the very
beginning the code was created so to have as minimal number of potential
issues as possible. I don't invite into jumping in discussion about
variety of particular MTA etc. I was just trying to say in general:
something better written from the very beginning vs something that needs
many fixes. The last, BTW, will more likely make you suffering down the
road because of the change of internals with upgrade to next version etc.

I hope I managed to convey the thought...

Valeri

++++++++++++++++++++++++++++++++++++++++
Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247
++++++++++++++++++++++++++++++++++++++++