Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

MySQL.Com Database Compromised via Blind SQL Injection Vulnerability

Updated with Statement from Oracle (03/28/11 1:48PM EST) Oracle issued the following statement to SecurityWeek on Monday afternoon: “Security is one of Oracle’s greatest priorities. It was recently reported that a number of sites on the MySQL.com domain may have been compromised. Oracle is currently investigating this incident to determine which systems and data may have been affected. We will continue to keep you updated.”

Updated with Statement from Oracle (03/28/11 1:48PM EST) Oracle issued the following statement to SecurityWeek on Monday afternoon: “Security is one of Oracle’s greatest priorities. It was recently reported that a number of sites on the MySQL.com domain may have been compromised. Oracle is currently investigating this incident to determine which systems and data may have been affected. We will continue to keep you updated.”

The database for MySQL.com (official site for the MySQL Web site which is owned by Oracle) has been compromised, as a result of a blind SQL injection vulnerability. The incident was initially reported via a post to the full disclosure list on Sunday morning, explaining the issue and posting a dump of part of the MySQL.Com database structure.

Attackers have apparently been able to view the internal databases, tables and passwords. Parts of the database including password hashes have been published online, with some passwords already cracked.

According to the Open Web Application Security Project (OWSP), “When an attacker executes SQL Injection attacks, sometimes the server responds with error messages from the database server complaining that the SQL Query’s syntax is incorrect. Blind SQL injection is identical to normal SQL Injection except that when an attacker attempts to exploit an application, rather then getting a useful error message, they get a generic page specified by the developer instead. This makes exploiting a potential SQL Injection attack more difficult but not impossible. An attacker can still steal data by asking a series of True and False questions through SQL statements.”

There have also been reports that the database for Sun.Com has been compromised as a result of the same blind SQL Injection Vulnerability.

We contacted Oracle on Sunday afternoon for comment but have not received a response yet. (Updated)

Written By

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Cyberwarfare

Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.