This is probably the breaking news of this weekend on security blogs and websites: mysql.com and other related sites have been compromised! This was disclosed via an e-mail sent to the full-disclosure mailing list (copy here). If you take the time to read the message, you will learn that the site was victim of a blind SQL injection. Wait… “MySQL“, “SQL injection“? For me, this is a funny story, nothing less, nothing more. mysql.com MySQL database pwn3d… so what?
Basically, it’s a vulnerability like many other websites suffer. MySQL is just a “tool” used to keep data organized. The way it is implemented and used is the responsibility of administrators, developers and security guys. Could Smith & Wesson be responsible if one of their employee shoot himself with a weapon assembled in their factory? Again, the lessons learned with this breach must make the developers more aware of security. You may choose to deploy the ultra-high-security-product but improperly configured or used, it will fail.. like any other! Consider the security level of a product like a reputation: you’ll take days to build something strong and it could take a few minutes to be destroyed.
It could have been worse if the attacker found a major breach in the MySQL code or replaced the MySQL official source code with a trojaned version! MySQL is a major component of millions of websites and applications. But in this case, as far as we know, this did not happen (yet). It looks that sun.com was also compromised. And no feedback from Oracle: Checked mysql.som, oracle.com, no mention of the incident…
injecting some malicious update to the mysql sources could have probably been the worst case scenario
it could have allowed him to gain access to so many machines in which some of them could have been really sensitive ones.
oh well i guess the kiddo who did that just didn’t thought it through
I don’t know, even though it doesn’t matter I still enjoy the irony. 🙂
Hello,
Yeah, someone sharing my opinion on this, finally 😉
Most people think it’s funny that mysql.com got owned by an sql injection. But that doesn’t even make sense because sql injection is an application-based problem and not a db-based one[1]. Just because both words contain sql, it doesn’t mean that there is any knid of irony given 😉
Regards,
Marc
[1] @mruef