Just a pro-tip to anyone looking to persist information coming in from remote clients... please, please, please never directly expose your DB (or effectively expose your DB by having SQL generated by the client or using a library to autogenerate SQL based on a query request)... Just put a dumb layer of PHP/Node/Python/whatever you like between clients and the DB. It is immensely difficult to properly secure data if uncontrolled clients can connect to the DB - it is possible - but it takes far more work than you'd like to put in.
Putting a thin application layer in front of the DB means that you're effectively whitelisting what operations are legal to run on the host and that makes your security life so much easier.
or, alternatively, always treat your database roles as though they can be directly manipulated by the end user, and you'll eliminate an entire class of injection vulnerabilities.
my favorite example of this is SchemaVerse, a game fully implemented in pgsql.
There are still some database injections that are possible in MongoDB (although they definitely tend to be less common due to the query language not being text-based). The most common type is when someone directly uses the data from a quest in the query without checking the type; for example, if you have a query that says "delete the user with id ____" and then pass in the id directly from the POST request without checking the type, someone could make a request with a body of `{ "$nin: [] }` (i.e. "not in the empty array"), which would then delete every user in the database. The fix, in this case, is just to check the type of the request data before serializing it into the query; in the example above, you could just return an error if you get anything other than a single user id.
Here, take my upvote. Can’t remember the last time someone seemed to genuinely apologize, explain what act they’re apologizing for, acknowledges their knowledge gaps and seems to actually thank their corrector, all the while sprinkling the comment with a hint of self-deprecation…
I also didn't understand that you were making a joke, and was sitting here wondering how using a different type of database would solve this kind of problem.
Similar to the sibling comments, I genuinely didn't realize you were joking either (although looking back now, it definitely seems more obvious!). Either way, I tend to be in the minority that doesn't mind jokes on Hacker News, so I'll give you an upvote as well
Please, yes. At a previous job, a department used a Windows accounting app that had a machine-level ODBC connection with the database credentials saved in it. A user figured out you could use Microsoft Query to pull data from the ODBC connection into Excel. This worked well until she accidentally deleted 90% of the vendor records from the database while trying to filter some data. I couldn't even really be upset at the user, a bunch of dumb product design decisions had to align like swiss cheese for this to happen.
Ouch, the prior post (https://kernal.eu/posts/linuxfx/) is even worse. Just... how did anyone think that exposing a mysql database to the wide Internet is a good idea?!
Even by the time of this post they've still got that DB exposed to the open internet - their update was just an attempt to obscure it, not an actual fix.
Ah, the traditional "solution" to people finding a massive security problem in your software: Make it try to kill any tracing programs and failing that refuse to run if you can detect any debug-type tools running. That will surely prevent people from bypassing your utterly trivial client-side protections! /s
The author didn't say how much money they made, but I wonder how the author of this theme they link as being used in the plasma version of linuxfx on their website would feel: https://www.pling.com/p/1367154/ - given that they seem to have straight up pirated it.
Isn't that theme licensed under the GPLv3? AFAIK they do publish all of their changes on SourceForge. To be clear I think Linuxfx is trash, but that doesn't make it "pirating" GPL software.
There's no link to any external source code anywhere on the page, and I tried googling for "PlasmaX Login"/"PlasmaX" and found nothing but the Pling link.
Just because LinuxFx re-uploaded this theme to Sourceforge doesn't make it GPLed.
Response from the developer in the Linuxfx-Forums[1]:
"Unfortunately there are people who like to gain popularity by doing this kind of reverse work, but we are working on a final solution. [...] The Linuxfx activation system was written in a basic way, because at the time we did not imagine that we would have so many users and would attract the attention of hackers."
The ol' "We didn't think we'd be hacked!" excuse is getting very tired. There was a very small window in time where that was a legitimate excuse, but its been at least a decade or two since that time.
“We didn’t think” should be the focal point here. Whether it’s being hacked, or “no one would notice”, or whatever. “We didn’t think” means a hasty launch without thinking about side effects and consequences. Every good team will think about the “what if” scenarios. Any good engineer would have caught this and said “yeah, maybe we shouldn’t do that…”
Not to mention the attempt to try to deflect the blame onto the people who exposed the bug. I don't think it's "unfortunate" for people to find things like this, and I don't care if their only motive is to gain popularity.
Oh my lord, these developers are not at all mature. Just after seeing this, and the following information below, I'll be recommending everyone stay away from LinuxFX. Their response to very substantial security issues and the fact that (according to TechRadar) they bundle proprietary programs is enough of a red flag to me.
Any junior engineer would know that letting clients connect to your MySQL database is a terrible terrible idea. No amount of (bad) obfuscation can fix that. It would be much more sensible to make a proxy application like NodeJS or PHP (as suggested by another commenter) that can then control public access to the internal database.
N.B. According to Urban Dictionary (as this one is new to me), Lammer means "A person who knows very little about computers/computing. It also refers to a person who pretends to be a hacker but is not."
FWIW this might be new to you because written correctly it's a 'lamer' usually and not only used for computing related things. I had never read it as 'lammer' either and even though there is one entry with that spelling in the urban dictionary, from the looks of it and what Google says otherwise, that's just someone mis-spelling it. Happy to be corrected on this with proper evidence but otherwise I think this just points towards the real 'lammers' ;)
35 comments
[ 2.7 ms ] story [ 85.0 ms ] threadIt is Linuxfx, product of a Brazilian software company with the same name
> Linuxfx brings all the main tools of Microsoft Windows 11, this includes control panel, configuration screens, login, logout
Putting a thin application layer in front of the DB means that you're effectively whitelisting what operations are legal to run on the host and that makes your security life so much easier.
my favorite example of this is SchemaVerse, a game fully implemented in pgsql.
https://schemaverse.com/
I also didn't understand that you were making a joke, and was sitting here wondering how using a different type of database would solve this kind of problem.
Just because LinuxFx re-uploaded this theme to Sourceforge doesn't make it GPLed.
"Unfortunately there are people who like to gain popularity by doing this kind of reverse work, but we are working on a final solution. [...] The Linuxfx activation system was written in a basic way, because at the time we did not imagine that we would have so many users and would attract the attention of hackers."
[1]: https://sourceforge.net/p/linuxfxdevil/discussion/general/th...
It’s very difficult to come off as having integrity when you argue from both sides simultaneously.
N.B. According to Urban Dictionary (as this one is new to me), Lammer means "A person who knows very little about computers/computing. It also refers to a person who pretends to be a hacker but is not."
Also, in the previous article: "Gambas [is] a Visual Basic ripoff". Meh.
Apparently, yes. https://en.wiktionary.org/wiki/skid#Etymology_3