MySQL.com (the official site for the MySQL database) was compromised via (shocking!) blind SQL injection. A post was sent today to the full disclosure list explaining the issue and dumping part of their internal database structure.
Vulnerable Target : http://mysql.com/customers/view/index.html?id=1170
Host IP : 213.136.52.29
Web Server : Apache/2.2.15 (Fedora)
Powered-by : PHP/5.2.13
Injection Type : MySQL Blind
Current DB : web
It seems their customer view application was used as the entry point. This is where the attackers were able to list the internal databases, tables and password dump. If you have an account on MySQL.com, we recommend changing your passwords ASAP (especially if you like to reuse them across multiple sites).
What is worse is that they also posted the password dump online and some people started to crack it already. Some of the findings are pretty bad, like the password used by MySQL’s Director of Product Management, it is only 4 numbers long. Multiple admin passwords for blogs.mysql.com were also posted.
The folks at MySQL have yet to say anything about this attack, but we will post more details as we learn more about it.
About David Dede
Pingback: Securing SQL Server » Blog Archive » MySQL.com compromised via SQL Injection attack. Someone should have read Chapter 6.
Pingback: MySQL.com compromised | Sucuri « aFblog
Pingback: MySQL.com compromised by SQL injection | i.justrealized
Pingback: MySQL.com被SQL注入攻击,用户密码数据被公布 | El4pse>和谐渗透小组-因为理想远大,所以放弃娱乐.
Pingback: SecuriTeam Blogs » mysql.com hacked… via blind sql injection
Pingback: Objetivos de ataque: grandes empresas y administraciones públicas « segjsm
Pingback: MySQL Web site falls victim to SQL injection attack | World news
Pingback: MySQL.com被SQL注入攻击,用户密码数据被公布,开源界又杯具了!
Pingback: MySQL website falls victim to SQL injection attack | World news
Pingback: Hackean sitios de Mysql.com con inyección SQL | Ventiao | El mundo cambia, todo cambia, entérate
Pingback: MySQL website falls victim to SQL injection attack « news4geeks.net
Pingback: MySQL Web site falls victim to SQL injection attack - Internet, networking and IT security news and headlines from around the web. - darkcode 2 IT Security & Network Security – News
Pingback: MySQL website falls plant to SQL injection attack |
Pingback: Episode 352 – IPv6 DoS, $IPv4, EU, MySQL, Dumpster Diving, BofA & SCADA | InfoSec Daily
Pingback: Episode 352 – IPv6 DoS, $IPv4, EU, MySQL, Dumpster Diving, BofA & SCADA » 信息安全播客
Pingback: MySQL Web site falls victim to SQL injection attack - Internet, networking and IT security news and headlines from around the web. - darkcode 2 IT Security & Network Security – News
Pingback: MySQL.com compromised
Pingback: MySQL.com invadido, pasmem, por SQL injection! | 4 Friends Technology
Pingback: MySQL.com被SQL注入攻击,用户密码数据被公布 | laura's site
Pingback: Blog de 3ld3r » Oracle demuestra sus intenciones sobre Postgres..
Pingback: Boot up: Engadget team jumps to SB Nation, and more | Trade Bloggers
Pingback: Documentos internos de Oracle y el futuro de PostgreSQL « Conocimiento Libre (o lo que está detrás del Software Libre)
Pingback: MySQL.com compromised via blind SQL injection (!) « code2hell
Pingback: MySQL Website Falls Victim to SQL Injection Attack | simplesitetutorials.org