Securing SQL Server

Protecting Your Database from Attackers

  • Home
  • Other Books
  • Sample Code Downloads

Posts Tagged ‘MySql.com’

MySQL.com compromised via SQL Injection attack. Someone should have read Chapter 6.

Sunday, March 27th, 2011

For those of you that were wondering, SQL Server isn’t the only platform which can be attacked via a SQL Injection attack.  Apparently the MySQL.com website which hosts the official distribution channel for the MySQL database platform was attacked using good old SQL Injection earlier today (notice sent out via seclists.org including their schema).

Often I hear from MySQL professionals that MySQL isn’t susceptible to SQL Injection attacks.  Apparently not only is it susceptible to SQL Injection attacks, but the company that writes the MySQL engine can’t correctly secure their website from being attacked.  According to sucuri.net the “customer view application was used as the entry point, where the attackers were able to list the internal databases, tables and password dump…”.  Not only was the password dump captured and posted only, but people have begun cracking the passwords, and some of these passwords are stupidly simple.  The account sysadm (which I assume is pretty important) has a password of “qa”.

Apparently the Director or Product Management (who has 20+ years experience with most database platforms) used a 4 digit numeric password (probably his ATM pin code) as his password.

Needless to say, if you have an account on mysql.com and you use that password anywhere, you should probably change that password anywhere else that you use it.

If you think that your application is susceptible to SQL Injection attack, I recommend chapter 6 (SQL Injection Attacks) of “Securing SQL Server” which talks about how to prevent SQL Injection attacks.  The examples which I provide are not SQL Server specific and the techniques shown to prevent SQL Injection attacks can be used against pretty much any relational database platform.

Denny

UPDATE (1pm PST 2011/03/27): Apparently the SSL certificate for logging into the MySQL.com website expired a month ago.  The reason that I found this was that I was going to try and log in with my normal passwords (I’m pretty sure I have a mysql.com account) but with this error message, I’m not so sure about that.  It’s probably OK, but still…

Tags: MySql.com, Securing SQL Server, SQL Injection
Posted in Securing SQL Server | 13 Comments »

  • Categories

    • (author unknown) (1)
    • Amazon (7)
      • Kindle (4)
    • Karen Lopez (2)
    • Microsoft (3)
    • Securing SQL Server (15)
      • Review Link (1)
    • Soulskill (2)
    • Unknown Lamer (1)

  • Second Edition Now Available

  • Code Downloads

    Code downloads are available for the Second Edition of the book from this page.

  • Tags

    (author unknown) 978-1597499477 1597499471 AlwaysOn Security Amazon Auto Blogged Barracuda Book Review Clustering Security CNET Contained Databases Contained Logins Database Firewalls Data Security Dev Connections EXECUTE AS Free Chapter Friends I hate AT&T Jen McCown Karen Lopez Kindle Microsoft MidnightDBA MySql.com nstant File Initialization Review SAN Security Sean McCown Securing SQL Server Security SQL Server 2nd Edition SHA2 Soulskill SQL Connections SQL Injection Tech Ed Unknown Lamer

  • Recent Posts

    • Health Data Breaches – Insider Data Trading?
    • NTLM 100% Broken Using Hashes Derived From Captures
    • Ruby On Rails SQL Injection Flaw Has Serious Real-Life Consequences
    • An Audible Data Privacy Breach
    • Are Your Protecting Your DB Backups?

  • Archives

    • January 2013
    • November 2012
    • August 2012
    • April 2012
    • October 2011
    • August 2011
    • July 2011
    • May 2011
    • April 2011
    • March 2011

Copyright © 2013 - Securing SQL Server | Entries (RSS) | Comments (RSS)

WordPress theme designed by web design