Updated with Statement from Oracle (03/28/11 1:48PM EST) Oracle issued the following statement to SecurityWeek on Monday afternoon: “Security is one of Oracle’s greatest priorities. It was recently reported that a number of sites on the MySQL.com domain may have been compromised. Oracle is currently investigating this incident to determine which systems and data may have been affected. We will continue to keep you updated.”
The database for MySQL.com (official site for the MySQL Web site which is owned by Oracle) has been compromised, as a result of a blind SQL injection vulnerability. The incident was initially reported via a post to the full disclosure list on Sunday morning, explaining the issue and posting a dump of part of the MySQL.Com database structure.
Attackers have apparently been able to view the internal databases, tables and passwords. Parts of the database including password hashes have been published online, with some passwords already cracked.
According to the Open Web Application Security Project (OWSP), “When an attacker executes SQL Injection attacks, sometimes the server responds with error messages from the database server complaining that the SQL Query’s syntax is incorrect. Blind SQL injection is identical to normal SQL Injection except that when an attacker attempts to exploit an application, rather then getting a useful error message, they get a generic page specified by the developer instead. This makes exploiting a potential SQL Injection attack more difficult but not impossible. An attacker can still steal data by asking a series of True and False questions through SQL statements.”
There have also been reports that the database for Sun.Com has been compromised as a result of the same blind SQL Injection Vulnerability.
We contacted Oracle on Sunday afternoon for comment but have not received a response yet. (Updated)