• MySQL.com compromised through SQL injection
    14 replies, posted
[release]MySQL.com (the official site for the MySQL database) was compromised via (shocking!) blind SQL injection. A [url=http://seclists.org/fulldisclosure/2011/Mar/309?utm_source=twitterfeed&utm_medium=twitter]post[/url] was sent today to the full disclosure list explaining the issue and dumping part of their internal database structure. [quote]Vulnerable Target : [url]http://mysql.com/customers/view/index.html?id=1170[/url] Host IP : 213.136.52.29 Web Server : Apache/2.2.15 (Fedora) Powered-by : PHP/5.2.13 Injection Type : MySQL Blind Current DB : web So their customer view application was used as the entry point, where the attackers were able to list the internal databases, tables and password dump… What else they did, we are not sure. If you have an account on MySQL.com, we recommend changing your passwords asap (specially if you like to reuse them). [/quote] What is worse is that they also posted the password dump online and some people started to crack it already. Some of the findings are pretty bad, like that the password used by the MySQL director of product management is only 4 numbers (6661) and also posted multiple admin passwords for blogs.mysql.com… MySQL have not said anything about this attack, but we will post more details as we learn more about it. [/release] [url=http://blog.sucuri.net/2011/03/mysql-com-compromised.html](source)[/url] [url=http://seclists.org/fulldisclosure/2011/Mar/309?utm_source=twitterfeed&utm_medium=twitter](source #2)[/url] Just saw this pop up on Twitter. Yeah. Wow.
I wonder how many people will try and inject some humour into this situation.
You know, I would've expected the people hosting MySQL stuff on a website about MySQL to know how to protect against this kinda stuff.
haha the irony :v:
[QUOTE=helpiminabox;28845089]You know, I would've expected the people hosting MySQL stuff on a website about MySQL to know how to protect against this kinda stuff.[/QUOTE] Y'know, we have a saying for that situations like this one... "In a blacksmith's house, all knives are wooden". :v:
INSERT INTO situation VALUES ('irony')
Oh god the irony. [editline]27th March 2011[/editline] :ironicat:
DROP TABLE "security"
Someone will be rejected for this injection.
I guess you could say, they really dropped the ball on this one.
[QUOTE=helpiminabox;28845089]You know, I would've expected the people hosting MySQL stuff on a website about MySQL to know how to protect against this kinda stuff.[/QUOTE] I highly doubt Oracle gives two shits about MySQL
[img]http://26.media.tumblr.com/tumblr_l93t33I3dA1qzuixyo1_500.png[/img]
:irony:
Oracle really is shit, and now I have proof.
Have they ever heard of mysql_real_escape_string($var); ?
Sorry, you need to Log In to post a reply to this thread.