Actual information with more details, minus zero-content blog:<p><a href="http://seclists.org/fulldisclosure/2011/Mar/309?utm_source=twitterfeed&utm_medium=twitter" rel="nofollow">http://seclists.org/fulldisclosure/2011/Mar/309?utm_source=t...</a><p><a href="http://pastebin.com/BayvYdcP" rel="nofollow">http://pastebin.com/BayvYdcP</a>
Same guys hit Sun.com via SQL Injection as well - <a href="http://tinkode27.baywords.com/sun-com-sun-mycrosystems-vulnerable-sql-injection/" rel="nofollow">http://tinkode27.baywords.com/sun-com-sun-mycrosystems-vulne...</a><p><i>Shameless self plug:</i> Netsparker ( My startup: <a href="http://www.netsparker.com/" rel="nofollow">http://www.netsparker.com/</a> ) could have identified both of these vulnerabilities.
Here's some background info on Blind SQL Injection:<p><a href="http://www.owasp.org/index.php/Blind_SQL_Injection" rel="nofollow">http://www.owasp.org/index.php/Blind_SQL_Injection</a>
while I understand that sql injection is mostly a fault of the host programming language/developer (php in this case) and not of the dbms/dba, couldn't the latter have avoided this in part by limiting user privileges so that it was impossible to "list the internal databases, tables and password dump" e.g. "REVOKE SHOW DATABASES, SHOW VIEW" ?<p>(I'm aware this may make impossible to use some web frameworks which rely on rdbms reflection, but I have the feeling this is not the case)
Oracle's security team bear full responsibility for this breach. MySQL's founder Monty Widenius left Sun in 2005. Sun declined, Oracle bought them as a strategic buy and the portal has been neglected to the point of being compromised.<p>One wonders what internal neglect MySQL is suffering behind the corporate veil.
I wonder a bit that there isn't a real binary protocol for SQL.<p>Edit: It seems there are ways to work around server-side SQL parsing: <a href="http://www.xarg.org/2011/01/is-it-possible-to-avoid-query-parsing-inside-of-mysql/" rel="nofollow">http://www.xarg.org/2011/01/is-it-possible-to-avoid-query-pa...</a><p>I was thinking more about why it is allowed at all to send text-like SQL queries to a server. A binary protocol would both be simpler to handle and would have saved us from a lot of trouble.<p>Edit: If all client-side libs (for PHP, Python, etc.) would just use those [prepared statements](<a href="http://dev.mysql.com/doc/refman/5.0/en/c-api-prepared-statements.html" rel="nofollow">http://dev.mysql.com/doc/refman/5.0/en/c-api-prepared-statem...</a>), it would be like what I mean.<p>Edit: Ah, I was wrong (as I hoped): For Python: <a href="https://launchpad.net/oursql" rel="nofollow">https://launchpad.net/oursql</a>
What really pisses me off about this is that you <i>had</i> to register just to be able to download the files.<p>So they unnecessarily had a lot of people's username/passwords for absolutely no good reason.
Doesn't really seem responsible to post the vulnerability details to the public list like that, all necessary shaming on weak passwords aside.<p>I wonder if the timing on this has anything to do with Oracle's continued dismantling of the useful parts of the MySQL website.