'Security' Tag

  • Passwords which are bad for your health

    December 20, 2009

    I’ve seen some passwords to take a few years from my life.
    I mean, we all know about dictionary words, right? And we’ve all seen Spaceballs, right? But choosing 12345 as your password is not the only careless option: there are many more! The more I get familiar with user’s password, the more I see how [...]

  • Even more on MySQL password security

    June 8, 2009

    This post follows Ronald Bradford’s More Basic MySQL Security, and Lenz Grimmer’s Basic MySQL Security: Providing passwords on the command line and More on MySQL password security.
    In Ronald’s post I’ve argued that passwords provided on command line are visible in plaintext on “ps aux”. Lenz has argued that this is incorrect, providing the source code [...]

  • Blocking user accounts

    March 5, 2009

    A long time missing feature in MySQL is temporarily blocking accounts: denying a user to log in, without affecting any other of her privileges.
    There is no such privilege as ‘LOGIN’ in the grants table, as the ability to log in is the most basic one MySQL allows. This basic privilege is called USAGE.
    I’ll present a [...]

  • `;`.`*`.`.` is a valid column name

    February 12, 2009

    And the following query:

    SELECT `;`.`*`.`.` FROM `;`.`*`;

    is valid as well. So are the following:

    DROP DATABASE IF EXISTS `;`;
    CREATE DATABASE `;`;
    CREATE TABLE `;`.`*` (`.` INT);
    CREATE TABLE `;`.““ (`.` INT);
    CREATE TABLE `;`.`$(ls)` (`.` INT);

  • MySQL security: data integrity issues

    January 21, 2009

    MySQL’s security model is not as elaborate as other popular databases. It’s missing quite a lot.
    I wish to point out what I think are some very disturbing security holes, which may affect the database integrity.
    This post is not about Roles, Kerberos, IPs and such. It’s about simple MySQL features, which allow common, unprivileged users, to [...]

  • Triggers Use Case Compilation, Part I

    January 5, 2009

    I’ve run by quite a few triggers lately on production systems. In previous posts, I’ve written about problems solved with triggers. So here’s a compilation of some solutions based on triggers; and some problems which are not (yet?) solvable due to current triggers limitations.
    Triggers can be used to:

    Maintain integrity
    Enhance security
    Enhance logging
    Assist with archiving
    Restrict table size
    Manage [...]

  • Using triggers to block malicious code: an example

    January 1, 2009

    Web applications face constant exploitation attempts. Those with a user base must keep their users’ private data, well… private.
    While the MySQL security model allows restricting users access to databases, tables and even columns, it has no built in feature for restricting the rows access within the given table.
    One cannot allow a user to only update [...]

  • Dangers of skip-grant-tables

    November 13, 2008

    When MySQL’s root password is lost and must be reset, there are two popular ways to create a new password. One of the options is far too popular, in my opinion.
    The preferred way of setting a root’s password is by using an init-file. The process for doing this is well explained in MySQL’s manual. Using [...]

 
Powered by Wordpress and MySQL. Theme by openark.org