MySQL.com Database Compromised By Blind SQL Injection
An was sent out earlier today on the mailing list, detailing the compromise of numerous MySQL websites along with portions of their containing usernames and passwords.
MySQL offers database software and services for businesses at an enterprise level as well as services for online retailers, web forums and even governments. The vulnerability for the attack, completed using blind SQL injection and targeted including MySQL.com, MySQL.fr, MySQL.de and MySQL.it, was initially found by "TinKode" and "Ne0h" of Slacker.Ro (according to their pastebin.com/BayvYdcP dump of the stolen credentials) but published by "Jackh4x0r".
Laugh. Surprising that they weren't checking user input / sanitizing everything before inputting the data into their MySQL database. There's absolutely no reason these days that SQL injection attacks should work, IMO, it all comes down to sloppy programming and piss poor auditing. Something you wouldn't expect from MySQL / Oracle...
So is v5.5.10 safe to use? it sounds like it was just the website itself and not MySQLd.
SQL injection isn't a db server issue, it's an application one.
★ Sam Barrow - CEO @ SQUIDIX(1-855-SQUIDIX)
★ Ask Us About Sponsoring Your Web Site (High Traffic Sites Only)
★ Squidix - Shared, Reseller, Semi-Dedicated, Managed VPS and Managed Dedicated Hosting
★ Midwestern Web - Web Design & Development Services