Mysql.com Vulnerable To Blind Sql Injection Vulnerability - Webmasters - Nairaland
Nairaland Forum › Science/Technology › Webmasters › Mysql.com Vulnerable To Blind Sql Injection Vulnerability (1945 Views)
| Mysql.com Vulnerable To Blind Sql Injection Vulnerability by Slyr0x(op): 11:21pm On Mar 27, 2011 |
Allow me to point out a little bit of irony in this headline , a website for one of the more popular open-source database alternatives gets completely compromised using blind SQL Injection. Ouch. Someone going by the moniker "Jack haxor" posted this to the Full Disclosure mailing list just a little while ago , giving a nice explanation of what's happened and more importantly where the vulnerable target page is (customers/view/index.html) so others can go and play for themselves. MySQL has (as of this writing) not issued a statement yet , which probably means they're scrambling to close up and clean up the mess , whatever that mess may be. Did the attacker get into anything more than just the databases behind the website? Maybe we'll know, maybe we won't -but this is at very least very unsettling for the open-source database organization. Hopefully they have clean, check-summed backups, right? Oh, and if you're interested in seeing the handywork that resulted from this compromise , check out this pastebin.com link , I swear I had nothing to do with that rabbit/hat graphic. Some take-aways from this one , 1. Never re-use passwords across too many websites of different security levels 2. Use complex pass-phrases as much as possible so they're harder to crack 3. Back up, then check-sum your backups and keep them off offline in case you need a restore point 4. Hiding the SQL error from an attacker will still get you compromised (blind SQL injection) 5. Check your code , attackers don't sleep, and won't spare you just because you're an open-source, charitable project 6. It can happen to anyone, anywhere at any time link ---> http://h30501.www3.hp.com/t5/Following-the-White-Rabbit-A/MySQL-WebSite-Hacked-by-Ironically-Blind-SQL-Injection/ba-p/25359 |
| Re: Mysql.com Vulnerable To Blind Sql Injection Vulnerability by Slyr0x(op): 11:26pm On Mar 27, 2011 |
Full Disclosure here --> http://pastebin.com/BayvYdcP --> http://pastebin.com/7y9LymN3 +) Targets: www.reman.sun.com www.ibb.sun.com www.mysql.com www.mysql.fr www.mysql.de www.mysql.it www-jp.mysql.com |
| Re: Mysql.com Vulnerable To Blind Sql Injection Vulnerability by ogzille(m): 8:53am On Mar 28, 2011 |
nawa o!!! |
| Re: Mysql.com Vulnerable To Blind Sql Injection Vulnerability by WebMonk(m): 10:33am On Mar 28, 2011 |
I guess there are no exceptions |
| Re: Mysql.com Vulnerable To Blind Sql Injection Vulnerability by Slyr0x(op): 8:53pm On Mar 28, 2011 |
ogzille:Na cRious wa. . WebMonk:No exceptions o0. . .Check http://www.zone-h.org/archive/special=1 |
| Re: Mysql.com Vulnerable To Blind Sql Injection Vulnerability by Nobody: 12:48am On Mar 31, 2011 |
this is serious. obviously these guys dont have "give up" in their books i get at least 2 attacks daily on one of my age long projects, not a popular website What happens if it's popular? |
Over A Million Web Sites Affected In Mass Sql Injection Attack • Facebook Vulnerable To Html Injection • Quick Sql Injection Vulnerability Test • 2 • 3 • 4
What Online Ads Do You Use? And Have They Worked For You? • Let’s Design Your Awesome Investment Website • Understanding Colour Schemes In Web Design