GreenSQL

GreenSQL is a database firewall used to protect database from SQL injection attacks. New release fixes a number of critical bugs. We recommend all users to upgrade.

This release includes a number of pre-build packages of popular operating systems. We supply packages for: CentOS, openSUSE, Fedora, Ubuntu, Debian.

List of changes:
1. Code optimization.
2. Minor management bugs were fixes.
3. New MySQL patterns and commands added.
4. A number of risk matrix calculation bugs were fixed.
5. Debian package was enhanced. A lot of bugs were fixed.

GreenSQL becomes popular product. We received a number of questions from out users about database firewall performance. In addition, in new application version, we had made numerous optimization patches. In order to feel the gap we decided to perform and publish results of the performance tests.

If you are living in Israel, you have a chance to get more information about GreenSQL. Next Sunday on 14/09/2008 I am giving presentation about GreenSQL on OWASP Israel 2008 Conference.

At this event I am going to talk about MySQL security and how GreenSQL can help you to leverage your protection level. New version GreenSQL SQL firewall will be described.

Update: here you can find the presentation.

I would like to make this post to reference one of posts published on mysql.com website. A lot of mysql users visit our site and I think our users will be willing to help. Here are the full details:

Donations are requested to help Andrii Nikitin, a MySQL support engineer in Ukraine, provide for his son Ivan who requires a bone marrow transplant operation. The cost of this operation is expected to be between €150,000 - €250,000 ($235,000 - $400,000). Please help us provide Ivan a chance to live.

More information can be found here: http://www.mysql.com/about/help-ivan.html

I got good news for all users. GreenSQL was featured at Linux.com website!!!
Here is the direct link: http://www.linux.com/feature/145341

I have good news for the article readers. Next version will be distributed with pre-build package for Fedora. In addition, the DELETE query will be handled appropriately. Here you can find complete details.

Next version will be released withing a week or 2.

Best regards,
Yuli

MySQL Database is a great product used by thousand of websites. Various web applications use MySQL as their default database. Some of these applications are written with security in mind, and some are not. In this article, I would like to show you how you can exploit SQL injection in order to gain almost full control over your webserver.

My little SQL honey project (http://demo.greensql.net/) yield a problem in the existing implementation of GreenSQL SQL firewall. It turns out that SQL query located in whitelist can basically make the system ignore other query that has SQL comments inside. To make the things more clear I will give an example.

Let say I have the following SQL pattern in the whitelist:

“SELECT * from accounts where id = ?”

This query looks legitimate and it is indeed ok. Now, the system receives the following SQL command:

I finally finished coding for the SQL injection test page. I coded it as a drupal plugin. This SQL Injection page could be used to evaluate SQL protection using GreenSQL database firewall. In addition all SQL queries blocked are shown in demo version of GreenSQL installed at this site. You can reach SQL injection test page using the following url:

http://www.greensql.net/sql-injection-test