MySQL.com compromised via SQL Injection attack. Someone should have read Chapter 6.
Author: mrdenny
For those of you that were wondering, SQL Server isn’t the only platform which can be attacked via a SQL Injection attack. Apparently the MySQL.com website which hosts the official distribution channel for the MySQL database platform was attacked using good old SQL Injection earlier today (notice sent out via seclists.org including their schema).
Often I hear from MySQL professionals that MySQL isn’t susceptible to SQL Injection attacks. Apparently not only is it susceptible to SQL Injection attacks, but the company that writes the MySQL engine can’t correctly secure their website from being attacked. According to sucuri.net the “customer view application was used as the entry point, where the attackers were able to list the internal databases, tables and password dump…”. Not only was the password dump captured and posted only, but people have begun cracking the passwords, and some of these passwords are stupidly simple. The account sysadm (which I assume is pretty important) has a password of “qa”.
Apparently the Director or Product Management (who has 20+ years experience with most database platforms) used a 4 digit numeric password (probably his ATM pin code) as his password.
Needless to say, if you have an account on mysql.com and you use that password anywhere, you should probably change that password anywhere else that you use it.
If you think that your application is susceptible to SQL Injection attack, I recommend chapter 6 (SQL Injection Attacks) of “Securing SQL Server” which talks about how to prevent SQL Injection attacks. The examples which I provide are not SQL Server specific and the techniques shown to prevent SQL Injection attacks can be used against pretty much any relational database platform.
Denny
UPDATE (1pm PST 2011/03/27): Apparently the SSL certificate for logging into the MySQL.com website expired a month ago. The reason that I found this was that I was going to try and log in with my normal passwords (I’m pretty sure I have a mysql.com account) but with this error message, I’m not so sure about that. It’s probably OK, but still…
13 Responses to “MySQL.com compromised via SQL Injection attack. Someone should have read Chapter 6.”
Leave a Reply
Categories
- Amazon (5)
- Kindle (3)
- Microsoft (2)
- Securing SQL Server (13)
- Review Link (1)
- Amazon (5)
Second Edition Available For Pre-Order
March 27th, 2011 at 2:39 pm
“Often I hear from MySQL professionals that MySQL isn’t susceptible to SQL Injection attacks.”
What? Preventing SQL injection is part of just about any basic MySQL+PHP tutorial out there. Who are these people you’re finding?!
They’re certainly not “professionals”.
March 27th, 2011 at 3:06 pm
“Often I hear from MySQL professionals that MySQL isn’t susceptible to SQL Injection attacks.”
Who has ever said this? This line by itself makes me question the validity if this whole article.
March 27th, 2011 at 3:17 pm
I’ll find a site or two that I can site when I get back home. The I’m on the road at the moment. Give me a few hours.
March 27th, 2011 at 3:25 pm
@mrdenny: I don’t doubt that there are people saying “MySQL isn’t susceptible to SQL injection attacks,” of course there are. There are fools in every profession. But why would you ever have believed them? This SQL injection attack is embarrassing for MySQL, but you shouldn’t take it as evidence of those fools being wrong, you should have known they were obviously wrong the moment the words left their mouths. No references needed…
March 27th, 2011 at 4:19 pm
@mrdenny “Often I hear from MySQL professionals that MySQL isn’t susceptible to SQL Injection attacks.” – That is completely false. Maybe it isn’t susceptible to exactly the same attacks but there are attacks.
March 27th, 2011 at 5:41 pm
Ned,
Of course I knew they were wrong. However they are still giving out the bogus info about mysql. My post obviously (I hope) wasn’t a dig against MySQL but against people who don’t know how to correctly write software.
SQL injection is clearly a client issue. I understand that MySQL has a flag to make SQL injection much harder to do (I know a lot less about MySQL than I probably should) which is where I think a lot of newer MySQL users get the idea that SQL injection against MySQL isn’t possible.
Denny
March 28th, 2011 at 2:19 am
[...] موقع MySQL.com -الموقع الرسمي لقواعد بيانات MySQL- البارحة لهجوم SQL injection أدى إلى حصول المخترقين على نسخة كاملة عن قاعدة [...]
March 28th, 2011 at 4:56 am
[...] موقع MySQL.com -الموقع الرسمي لقواعد بيانات MySQL- البارحة لهجوم SQL injection أدى إلى حصول المخترقين على نسخة كاملة عن قاعدة [...]
March 28th, 2011 at 12:48 pm
I salute you, I really adore the way you treated the sub… maybe you could come to my site and tell some corrections. Thanks in advance
March 28th, 2011 at 2:42 pm
MySQL library provides a secure way of running sql queries. It’s named Prepared Statement.
It consist of question marks that you can pass to the method that execute the query. It’s very secure because you do not have to use quoting characters for the query parameters. That’s because they say MySQL is sql injection aware.
April 5th, 2011 at 6:55 pm
[...] Mysql 被攻击了,我现在(2011 年3 月31 日 [...]
April 12th, 2011 at 11:47 am
[...] the first SQL Injection attack to happen recently. Just a couple of weeks ago MySQL.com’s website was attacked also using SQL Injection and a large amount of information was taken from their database as [...]
November 21st, 2011 at 9:17 pm
pws frap…
[...]Securing SQL Server » Blog Archive » MySQL.com compromised via SQL Injection attack. Someone should have read Chapter 6.[...]…