

MySQL.com compromised via (guess what?) SQL injection - sucuri2
http://blog.sucuri.net/2011/03/mysql-com-compromised.html

======
jedsmith
Actual information with more details, minus zero-content blog:

[http://seclists.org/fulldisclosure/2011/Mar/309?utm_source=t...](http://seclists.org/fulldisclosure/2011/Mar/309?utm_source=twitterfeed&utm_medium=twitter)

<http://pastebin.com/BayvYdcP>

~~~
vog
I really don't understand why people are upvoting this meaningless blog crap,
instead of upvoting the HN entry of the original publication:

<http://news.ycombinator.com/item?id=2377013>

~~~
sathyabhat
Because it was submitted ~10 hours prior to the link you posted.

------
fmavituna
Same guys hit Sun.com via SQL Injection as well -
[http://tinkode27.baywords.com/sun-com-sun-mycrosystems-
vulne...](http://tinkode27.baywords.com/sun-com-sun-mycrosystems-vulnerable-
sql-injection/)

 _Shameless self plug:_ Netsparker ( My startup: <http://www.netsparker.com/>
) could have identified both of these vulnerabilities.

~~~
bjg
That product looks awfully similar to Metasploit (
<http://www.metasploit.com/> ) , no?

How is it different? I watched the demo video and couldn't really tell.

~~~
fmavituna
Metasploit mostly focuses on Infrastructure and exploiting known
vulnerabilities.

Netsparker is solely focused on web application security (detection &
exploitation). For example Netsparker can crawl AJAX/Javascript apps, support
form authentication etc. Metasploit on the other hand possibly will never do
that kind of stuff.

~~~
tptacek
You are comparing a $1000 commercial product to open source Ruby code.
Metasploit is sponsored by Rapid7, which does in fact have a product that is
competitive with your offering.

Do we need to get into a detailed discussion of why I think the plug for your
scanner is inappropriate for this thread? Or can we just let it suffice to say
that HN isn't a great place to promote products on random threads?

~~~
fmavituna
I'm not comparing, I'm telling the difference. Just like Netsparker will not
do port scanning, possibly Metasploit will not do full web app stuff. You can
talk with someone from Rapid7 and they'll tell you the same thing. And for the
record I love Metasploit, it's a fantastic tool.

We have a good relationship with Rapid7 guys, they even has a module to import
Netsparker results into Metasploit and we keep getting synced with them in new
updates.

> Or can we just let it suffice to say that HN isn't a great place to promote
> products on random threads?

Personally I love seeing other HNers to send their relative products,
projects, startups, commercial ideas, job ads in HN threads, I don't think
there is anything wrong with that. You might think otherwise, that's why there
is one upvote and one downvote button.

~~~
tptacek
Metasploit isn't web application penetration tool. W3af, the other open source
security tool Rapid7 sponsors, is. Meanwhile, Rapid7's commercial offering,
Nexpose, also crawls Ajax applications and, if this flaw is as simple as
people seem to think it is, would likely have found it... as would OWASP
WebScarab or Burp (a tool that costs a fraction of what your tool does and
belongs in the back pocket of every web developer).

I'm responding harshly because I do not agree with your logic (to wit: any
thread involving security is a great place to plug your scanner) and because I
found your comparison of Netsparker to Metasploit disingenuous: Metasploit
simply isn't Rapid7's web app offering.

~~~
randallsquared
_I found your comparison of Netsparker to Metasploit disingenuous_

I have no position on whether he should mention his product in a news thread
about SQLI, but he was responding directly to bjg, who said:

 _That product looks awfully similar to Metasploit
(<http://www.metasploit.com/> ) , no?

How is it different?_

So, his "comparison" was just responding to someone saying "Hos is it
different?", literally.

------
OstiaAntica
Here's some background info on Blind SQL Injection:

<http://www.owasp.org/index.php/Blind_SQL_Injection>

~~~
rrrhys
Thanks, great read (and interesting eye opener!)

------
riffraff
while I understand that sql injection is mostly a fault of the host
programming language/developer (php in this case) and not of the dbms/dba,
couldn't the latter have avoided this in part by limiting user privileges so
that it was impossible to "list the internal databases, tables and password
dump" e.g. "REVOKE SHOW DATABASES, SHOW VIEW" ?

(I'm aware this may make impossible to use some web frameworks which rely on
rdbms reflection, but I have the feeling this is not the case)

~~~
xd
Sorry, but how is PHP at fault? You can shoot yourself in the foot with _ANY_
programming language.

~~~
Natsu
PHP has been known to provide convenient footguns in the past (e.g.
register_globals, mercifully depreciated), so it's not surprising that
security-minded people give it a hard time.

Think of it as the difference between the language keeping loaded footguns
under its pillow with the safety off and keeping unloaded footguns in a locked
gun safe. One is a lot less likely to get used than the other, even if either
one will shoot your foot just as well.

~~~
xd
Rehashing old design floors is not an excuse to blame PHP for programmer
error.

~~~
prodigal_erik
It doesn't seem fair to call a defect "old" if it wasn't seriously addressed
between then and now. I had to pick up PHP (presumably because of heinous sins
in a past life) and every tutorial I saw was _still_ pasting user input into
non-parameterized queries. There are apparently several different MySQL
clients, and our production boxes still had the original (inexplicably still
in existence) which didn't even _support_ parameterized queries. And that was
in 2007!

~~~
damncabbage
Just hit the same issue here in 2011. Plesk, a popular package for managing
shared hosting used by hosting companies, doesn't include the MySQL drivers
for PDO (what's meant to be PHP's "standard" database library).

Last week I had to rewrite an import script to use mysql_query(), with
mysql_real_escape_string() and quotes for every query variable.

------
d2
Oracle's security team bear full responsibility for this breach. MySQL's
founder Monty Widenius left Sun in 2005. Sun declined, Oracle bought them as a
strategic buy and the portal has been neglected to the point of being
compromised.

One wonders what internal neglect MySQL is suffering behind the corporate
veil.

~~~
morgo
Do you really think Monty had anything to do with coding the website anyway?

The guys that write the actual database have _nothing_ to with the web team.
They didn't in MySQL days, they don't now.

------
albertzeyer
I wonder a bit that there isn't a real binary protocol for SQL.

Edit: It seems there are ways to work around server-side SQL parsing:
[http://www.xarg.org/2011/01/is-it-possible-to-avoid-query-
pa...](http://www.xarg.org/2011/01/is-it-possible-to-avoid-query-parsing-
inside-of-mysql/)

I was thinking more about why it is allowed at all to send text-like SQL
queries to a server. A binary protocol would both be simpler to handle and
would have saved us from a lot of trouble.

Edit: If all client-side libs (for PHP, Python, etc.) would just use those
[prepared statements]([http://dev.mysql.com/doc/refman/5.0/en/c-api-prepared-
statem...](http://dev.mysql.com/doc/refman/5.0/en/c-api-prepared-
statements.html)), it would be like what I mean.

Edit: Ah, I was wrong (as I hoped): For Python: <https://launchpad.net/oursql>

~~~
xd
Reply to your further edit (let't hope this is the last one ;)

Prepared statements _should_ afford you a clean conscience because the values
never make up part of the SQL query .. unless you are using a library that
emulates it, and there are libraries out there that do, so don't assume
anything.

~~~
tptacek
Prepared statements _do not_ afford you a "clean conscience". You still need
to be careful with your inputs in parameterized queries, because not every
input to every query can be bound as a variable. Some operations do require
dynamic query construction.

~~~
xd
" _Prepared statements do not afford you a "clean conscience"_ " erm, that was
the point I was trying to make.

" _because not every input to every query can be bound as a variable_ " Can
you give me an example?

" _Some operations do require dynamic query construction._ " what does that
have to do with prepared queries?

~~~
statictype
_"because not every input to every query can be bound as a variable" Can you
give me an example?_

var sql = "select * from User where UserType=@ut order by ModificationDate " +
sort_order;

In this case, if sort_order directly comes from a 'asc'/'desc' radio button
then you have an injection attack.

The correct way to do it would be:

var sql = "select * from User where UserType=@ut order by ModificationDate " +
(sort_order=="asc"?"asc":"desc");

The point was that there are some parts of sql that can't be parameterized
like sort order or limits on the resultant recordset. Although, ideally
support for those things should be coming from your database vendor (if it
isn't already there).

For example, SqlServer supports using variables in top expressions: select
top(@max) * from ....

------
Arxiss
I can't believe that all these 'BIG names' are getting hacked by group of 2.
What is next? Google.com goes down?

------
drinian
Doesn't really seem responsible to post the vulnerability details to the
public list like that, all necessary shaming on weak passwords aside.

I wonder if the timing on this has anything to do with Oracle's continued
dismantling of the useful parts of the MySQL website.

------
mattmanser
What really pisses me off about this is that you _had_ to register just to be
able to download the files.

So they unnecessarily had a lot of people's username/passwords for absolutely
no good reason.

~~~
AmrMostafa
Not entirely true. There is a "No thanks, take me to download" link at the
bottom of the form you get after clicking the download link.

~~~
tyler_ball
It's not in a very obvious place. Downloading the mysql source is one of the
most annoying experiences I've had on an OSS site. Iframes, select boxes,
login forms! Just give me a list!

------
hammock
6661, is that his ATM pin as well?

~~~
kprobst
Or the combination on his luggage.

~~~
notyourwork
Or the code to his garage door.

~~~
listrophy
Or his iPhone unlock code.

