Blog of Max Horvath

Problems when upgrading to Ubuntu 8.10 - Kernel panic - Unable to mount root fs

2008-11-04T13:46:12Z

Yesterday I was upgrading my laptop at work from Ubuntu 8.04 to the newly released version 8.10. I had no errors in this version using the LiveCD. But when I restarted the computer and tried to run Ubuntu 8.10 I had this problem:

Using the newest kernel of Ubuntu Hardy (8.04) - version 2.6.24-21 - I could still boot really nicely into the new system.

Booting into Ubuntu 8.10 using the LiveCD and its kernel 2.6.27-7, there where also no problems at all.

After some googling I found the quite silly solution. Turns out the script that updated the /boot/grub/menu.lst didn't include the initrd line for some insane reason. So, in menu.lst I had:

No initrd line! Just add the initrd line so it looks like this:

Almost too obvious. Well, I hope the folks at the ubuntu team will be fixing the grub update script quite soon to include the initrd line again.

Don't forget to change your UUID to suit you. You can find out what the UUID of a file system is with the vol_id command. For example "vol_id /dev/sda1". You can always discard the UUID, and just use root=/dev/sdax.

Protecting your MySQL database from SQL injection attacks with GreenSQL

2008-09-05T15:15:00Z

SQL injection attacks can allow hackers to execute arbitrary SQL commands on your database through your website. To avoid these attacks, every piece of data supplied to your web application, either via a web form or via web services, or other means, must be validated to not contain information that is not expected.

GreenSQL is a firewall for SQL - it sits between your Website and your MySQL database server and decides which SQL statements should and should not be executed. GreenSQL is distributed under the GPL license.

Introduction

GreenSQL is a proxy for MySQL databases. Web applications should connect to GreenSQL which will forward legitimate SQL queries to your MySQL database, after running the query through a filter. The result of the query will be returned though GreenSQL, too (it is a proxy). If GreenSQL detects a query that is not whitelisted and that includes suspicious SQL, it will block that query and return an empty result set without contacting the MySQL database.

GreenSQL consists of two components: the proxy server / firewall itself and the management interface. You can see a demo of the management interface at demo.greensql.net.

The proxy server / firewall is written in C/C++ and the management interface in PHP.

Even though GreenSQL hasn't reached the 1.0 status, there are already packages for popular *nix distributions like FreeBSD, Debian, Ubuntu, Fedora and SuSe available. Compiling from has been made much easier now, too - there is a automatic database configuration tool, which makes installation much easier than before

Using GreenSQL

The GreenSQL configuration file allows you to set how risky you think certain things are. For example you can assign a weight to the use of certain keywords. The logic is based on evaluation of SQL commands using a risk scoring matrix as well as blocking known db administrative commands (DROP, CREATE, etc). After a specific block level has been reached, the query will not be forwarded to the MySQL server.

The management interface gives you an overview of queries used to contact your MySQL database. Given those details, it's easy to fine tune the rules. Each time GreenSQL considers a SQL query as a security risk - it is blocked. You can alter this behavior for a specific query by explicitly adding it to the whitelist.

Conclusion

GreenSQL is production-ready, yet. But you should keep an eye on it and give it a try in some of your test project - I think it has a huge potential.

Welcome to my new blog

2008-03-04T09:35:33Z

Hey everybody, I've just decided to restart my blog.

I plan to post about topics regarding Quality Assurance, especially focusing on PHP web applications.

Due to my position as Quality Manager at studiVZ Ltd., Europes largest social network, I hope to give you valuable insights of our testing strategies which you can use in one of your current or next projects.