Around these days last year I presented `securich` for the first time. It was at froscon 2009, barely knowing anybody, spending my 27th birthday in a hostel in Germany fixing some bugs before the actual presentation on a 10 inch netbook (my mac had some problems at the time but thats another story :)). I got a beating, verbally of course! Many of the people listening to the presentation were expecting something else since another presentation was supposed to be running at that time, some even started dozing off (encouraging? not really hehe) but after a few minutes people started getting interested and asking all kind of questions. “This awesome” I thought to myself, “questions are good, it means people are understanding and want to know more”, but the more they learnt the more they realised how young securich was as a tool, lacking fundamental features like …
[Read more]This is a very good article discussing the different HTML Sanitizers available in the PHP community, what they mean, and the general state of things. Even the WordPress sanitizer (Kses) is included in this review. I really recommend you read this before you start building your own mini cms.
This Thursday (June 10th, 14:00 UTC), Darren
Cassar will rerun his February 25 presentation of Securich - Security Plugin for MySQL.
(Recording of the session failed in February; hopefully it will
succeed this time.) According to Darren, the author of the
plugin, Securich is an incredibly handy and versatile tool for
managing user privileges on MySQL through the use of roles. It
basically makes granting and revoking rights a piece of cake, not
to mention added security it provides through password expiry and
password history, the customization level it permits, the fact
that it runs on any MySQL 5.0 or later and it's easily deployable
on any official MySQL binary, platform independent.
More information here: …
This Thursday (June 10th, 14:00 UTC), Darren
Cassar will rerun his February 25 presentation of Securich - Security Plugin for MySQL.
(Recording of the session failed in February; hopefully it will
succeed this time.) According to Darren, the author of the
plugin, Securich is an incredibly handy and versatile tool for
managing user privileges on MySQL through the use of roles. It
basically makes granting and revoking rights a piece of cake, not
to mention added security it provides through password expiry and
password history, the customization level it permits, the fact
that it runs on any MySQL 5.0 or later and it's easily deployable
on any official MySQL binary, platform independent.
More information here: …
This Thursday (June 10th, 14:00 UTC), Darren
Cassar will rerun his February 25 presentation of Securich - Security Plugin for MySQL.
(Recording of the session failed in February; hopefully it will
succeed this time.) According to Darren, the author of the
plugin, Securich is an incredibly handy and versatile tool for
managing user privileges on MySQL through the use of roles. It
basically makes granting and revoking rights a piece of cake, not
to mention added security it provides through password expiry and
password history, the customization level it permits, the fact
that it runs on any MySQL 5.0 or later and it's easily deployable
on any official MySQL binary, platform independent.
More information here: …
By default MySQL allows you to create user accounts and privileges with no password. In my earlier MySQL Best Practices: User Security I describe how to address the default installation empty passwords.
For new user accounts, you can improve this default behavior
using the SQL_MODE variable, with a value of NO_AUTO_CREATE_USER.
As detailed via the 5.1 Reference Manual
NO_AUTO_CREATE_USER
Prevent the GRANT statement from automatically creating new users
if it would otherwise do so, unless a nonempty password also is
specified.
Having set this variable I attempted to show the error of operation to demonstrate in my upcoming “MySQL Idiosyncrasies that bite” presentation. …
[Read more]It is critical that you do not use the default MySQL installation security, it’s simply insecure.
Default Installation
When installed, MySQL enables any user with physical permissions to the server to connect to the MySQL via unauthenticated users. MySQL also provides complete access to all super user privileges via the ‘root’ user with no default password.
$ mysql -uroot mysql> SELECT host,user,password FROM mysql.user; +--------------+------+-------------------------------------------+ | host | user | password | +--------------+------+-------------------------------------------+ | localhost | root | | | server.local | root | | | 127.0.0.1 | root | | | localhost | | | | server.local | | …[Read more]
MySQL 5.1.47
In addition to the security update, MySQL 5.1.47 is also very important for an additional reason. The InnoDB plugin that ships with this version has been updated to 1.0.8, which is …
[Read more]MySQL 5.1.47
In addition to the security update, MySQL 5.1.47 is also very important for an additional reason. The InnoDB plugin that ships with this version has been updated to 1.0.8, which is …
[Read more]MySQL 5.1.47
In addition to the security update, MySQL 5.1.47 is also very important for an additional reason. The InnoDB plugin that ships with this version has been updated to 1.0.8, which is …
[Read more]