Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

MySQL.Com Database Compromised via Blind SQL Injection Vulnerability

Updated with Statement from Oracle (03/28/11 1:48PM EST) Oracle issued the following statement to SecurityWeek on Monday afternoon: “Security is one of Oracle’s greatest priorities. It was recently reported that a number of sites on the MySQL.com domain may have been compromised. Oracle is currently investigating this incident to determine which systems and data may have been affected. We will continue to keep you updated.”

Updated with Statement from Oracle (03/28/11 1:48PM EST) Oracle issued the following statement to SecurityWeek on Monday afternoon: “Security is one of Oracle’s greatest priorities. It was recently reported that a number of sites on the MySQL.com domain may have been compromised. Oracle is currently investigating this incident to determine which systems and data may have been affected. We will continue to keep you updated.”

The database for MySQL.com (official site for the MySQL Web site which is owned by Oracle) has been compromised, as a result of a blind SQL injection vulnerability. The incident was initially reported via a post to the full disclosure list on Sunday morning, explaining the issue and posting a dump of part of the MySQL.Com database structure.

Attackers have apparently been able to view the internal databases, tables and passwords. Parts of the database including password hashes have been published online, with some passwords already cracked.

According to the Open Web Application Security Project (OWSP), “When an attacker executes SQL Injection attacks, sometimes the server responds with error messages from the database server complaining that the SQL Query’s syntax is incorrect. Blind SQL injection is identical to normal SQL Injection except that when an attacker attempts to exploit an application, rather then getting a useful error message, they get a generic page specified by the developer instead. This makes exploiting a potential SQL Injection attack more difficult but not impossible. An attacker can still steal data by asking a series of True and False questions through SQL statements.”

There have also been reports that the database for Sun.Com has been compromised as a result of the same blind SQL Injection Vulnerability.

We contacted Oracle on Sunday afternoon for comment but have not received a response yet. (Updated)

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

The AI Risk Summit brings together security and risk management executives, AI researchers, policy makers, software developers and influential business and government stakeholders.

Register

People on the Move

Retired U.S. Army General and former NSA Director Paul M. Nakasone has joined the Board of Directors at OpenAI.

Jill Passalacqua has been appointed Chief Legal Officer at autonomous security solutions provider Horizon3.ai.

Cisco has appointed Sean Duca as CISO and Practice Leader for the APJC region.

More People On The Move

Expert Insights