MySQL.com and Sun/Oracle compromised via SQL injection
Posted by Bradley Wint on 28/03/2011
Romanian hackers have once again proven that even the big dogs have their weaknesses. TinKode and Ne0h of Slacker.Ro successfully injected a malicious bit of SQL into MySQL.com and Sun/Oracles’s own database, thus being able to reveal their entire table structure and other important details.
Along with being able to see the entire database, they were also able to get passwords, and once again proved how people carelessly used very simple combinations to secure important resources. If you though Gawker’s 123456 password was too simple, then what about a pass such as ‘qa’. This one was set the Director of Product Management at MySQL.com.
On the MySQL.com end, they were able to dump everything including the database structure and passwords, while only tables and emails from the Sun/Oracle systems were dumped.
With this in mind, does it mean sites running installs of MySQL are now vulnerable to this particular? Luckily the answer “no”. It seems the issue came about due to poor implementation of MySQL and Oracle’s part rather than in the MySQL software itself. We put “no” in brackets though because no software out there is hack proof.
It seems their intentions are to highlight security flaws found in various websites, since they do this on a regular basis.
The whole ordeal has already affected MySQL’s reputation, with some already willing to switch to other SQL database solutions. The big lessons from such a situation include using complex passwords and doing routine checks for possible weaknesses in your server, whether it be on the database, OS or HTTP end, among other areas.