It is sad to see how 9X% (or should that be 99.X%?) of SQL applications are riddled with SQL injection bugs.

There really is no excuse for this. Nobody writes code like this:

sub stupid_sum {
    my ($list) = @_;
    my $string = shift @$list;
    for (@$list) {
      $string .= " + " . $_;
    }
    my $sum = eval($string);
    return $sum;
}

Right? Just because our computers use the Von Neumann architecture, where CPU instructions and data is stored in the same memory, does not mean that we cannot distinguish between code and data (ok, so in TeX we do not, but there is a reason TeX is not pleasant to write applications in).

So when we use …

Preventing MySQL Injection Attacks With GreenSQL On Debian Etch

GreenSQL (or greensql-fw) is a firewall for MySQL databases that filters SQL injection attacks. It works as a reverse proxy, i.e., it takes the SQL queries, checks them, passes them on to the MySQL database and delivers back the result from the MySQL database. It comes with a web interface (called greensql-console) so that you can manage GreenSQL through a web browser. This guide shows how you can install GreenSQL and its web interface on a Debian Etch server.

I’ve been working with a client recently who has SELinux on his servers.  It has been quite a struggle sometimes.

My colleages tell me that SELinux has a pretty noticeable performance impact.  I am not sure if we have benchmarks to support this; at any rate, the client said it’s OK, we’ll take the performance hit.

There [...]

This Monday, September 8th, the Boston MySQL User Group broke our 2-month summer hiatus with a presentation on MySQL Views.

The slides can be downloaded from http://www.technocation.org/files/doc/2008_09_Views.pdf -- 89 kB, .pdf format.

The 199 Mb .flv file can be downloaded at http://technocation.org/node/621/download or played directly in your browser at http://technocation.org/node/621/play.

The presentation covers:

read more

If you are security conscious and nowadays who isn’t?, you may have pondered over ways to make your external SSH connection safer.
Of course there’s always One-time Passwords and Public Keys, but if like me you watch the daily barrage of brute force attacks you may be thinking it’s only a matter of time…

That’s what I was thinking at about the same time an SMS arrived on my mobile….then it hit me….I take my mobile everywhere, if only my server could call me and ask if it is really me trying to log in.

My first instinct was to try and insert a Perl or Python script into the login process. After all …

Last week I gave my first webinar for MySQL titled “Bau sicherer LAMP Anwendungen”. The webinar, which was a cooperation between MySQL and my company SektionEins, was held in german, covered SQL-Malware, SQL-Injection, safe programming and some tools to detect and block SQL-Injection attacks.

The recording of this webinar is now available on the MySQL site.

For those that only want to see my slides they are available on the MySQL site after registration or here.

Because it was a german webinar the recording and slides are in german, too.

While SQL-Injection is one of the most discussed security problems in web applications other possible problems for SQL queries like overlong input are usually ignored although they can lead to all kinds of security problems.

This might be caused by the fact that security problems that are the result of overlong input are often buffer overflows and buffer overflows are something many web application security experts know nothing about and choose to ignore.

There are however several security problems for SQL queries that are caused by overlong input and no one talks about.

max_packet_size

In MySQL there exists a configuration option called max_packet_size which is set to one megabyte by default and controls the maximum size of a packet sent between the SQL client and server. When queries or result rows do not fit into a single packet a error is raised. This means an overlong SQL query is never sent to the server …

I previously reported about my joy with MySQL-Proxy and a simple SQL-Injection detection based on a simple heuristic.

Today I present the more interesting approach that I promised to publish after my webinar yesterday. This approach is based on the idea that SQL queries issued by an application always have a certain structure. This structure can be learned and remembered by MySQL-Proxy. Any SQL query that has a different structure can then be considered an attack.

Training Mode

The first Lua script learn_sql_queries.lua uses MySQL-Proxy’s read_query hook to catch COM_INIT_DB and COM_QUERY packets. COM_INIT_DB packets are issued when the database is …

Josh Berkus' "Safe Data is Happy Data" (originally entitled "Lock Up Your Data") goes talks about defense in depth -- going beyond firewalls and other "perimeter defense" mechanisms such as middleware and web server tools. Berkus explains "full-stack security" including preventing SQL injection, data abstraction, database permissions, and even what to do after an attack.

Stream directly online at http://technocation.org/node/591/play or download the 346 Mb .wmv file at .

From the official OSCon description:

read more

“MySQL Proxy is a simple program that sits between your client and MySQL server(s) that can monitor, analyze or transform their communication. Its flexibility allows for unlimited uses; common ones include: load balancing; failover; query analysis; query filtering and modification; and many more.”

The flexibility of MySQL Proxy is based on the fact that every aspect is scriptable with Lua. Because I am new to MySQL Proxy and the Lua language I tried to implement a very simple script that waits for incoming SQL queries, tokenizes them and tries to detect SQL Injection heuristically by searching for certain disallowed SQL functions, databases, tables, statements or comments. When an SQL query is believed to contain an SQL injection is it not executed and a “Possible SQL …