Skip to comments.
MySQL open to attack [No, make that TheirSQL]
ZDNet ^
| 16 December 2002
| Patrick Gray
Posted on 12/16/2002 7:48:02 PM PST by Bush2000
MySQL open to attack [No, make that Their SQL]
By Patrick Gray, ZDNet Australia
16 December 2002
Several vulnerabilities have been found in the MySQL database system, a light database package commonly used in Linux environments but which runs also on Microsoft platforms, HP-Unix, Mac OS and more. E-matters, a German company, released a security advisory after discovering the security flaws. They have rated the vulnerabilities as "Medium to Critical" in severity.
The security flaws discovered by the company range from Denial of Service (DoS) problems to more serious issues.
"...one of the flaws can be used to bypass the MySQL password check or to execute arbitrary code," the advisory said.
E-matters also found multiple vulnerabilities in the MySQL client libraries, which "...could allow DoS attacks against or arbitrary code execution within anything linked against libmysqlclient."
The vulnerabilities affect all versions prior to 3.23.53a and 4.0.5a. MySQL have released an updated "version 3" (3.23.54) that is immune to the security bugs.
It is not known when an updated "version 4" MySQL will be released.
E-matters will not be releasing an exploit for the vulnerability.
TOPICS: Business/Economy; Technical
KEYWORDS: mysql
Navigation: use the links below to view more comments.
first 1-20, 21-38 next last
Once more, with feeling ... tell me how superior open source development methodology is ...
1
posted on
12/16/2002 7:48:02 PM PST
by
Bush2000
To: Bush2000
Vendor Response
03. December 2002 Vendor was contacted by email.
04. December 2002 Vendor informs me that bugs are fixed and that they started building new packages.
12. December 2002 Vendor has released MySQL 3.23.54 which fixes these vulnerabilities.
2
posted on
12/16/2002 7:53:35 PM PST
by
mikenola
To: Bush2000
Call me when I see thousands of port 3306 scans on the Internet.
3
posted on
12/16/2002 7:54:23 PM PST
by
sigSEGV
To: Bush2000
Sigh! I'd be so nice if FR used SQL Server...
To: mikenola
Pity that the "vulnerabilities affect all versions prior to 3.23.53a and 4.0.5a". Who knows how much data was lifted all this time ...
5
posted on
12/16/2002 7:57:31 PM PST
by
Bush2000
To: Bush2000
"Once more, with feeling ... tell me how superior open source development methodology is ... "See #2... in the mean time, I'm still waiting on that "other" company to acknowledge - much less fix - several know security flaws. Oh well.
6
posted on
12/16/2002 7:59:14 PM PST
by
bcoffey
To: sigSEGV
Call me when I see thousands of port 3306 scans on the Internet.
LMFAO! Tsk, tsk. The issue isn't Internet-based MySQL servers, dude, and you know it. Nobody exposes their MySQL or SQL Server or Oracle boxes directly on the Internet (unless they're truly morons). Nope, the issue here is intranet-based hacking. MySQL is wide-open. This is pathetic.
7
posted on
12/16/2002 8:00:02 PM PST
by
Bush2000
To: bcoffey
See #2... in the mean time, I'm still waiting on that "other" company to acknowledge - much less fix - several know security flaws. Oh well.
Too bad your peer-review model failed. Badly. And using your fallback "but Microsoft has issues, too" defense is hardly comforting to the rubes who got screwed by MySQL intrusions ...
8
posted on
12/16/2002 8:01:51 PM PST
by
Bush2000
To: Bush2000
Anybody that allows connection attempts to an SQL server port from somewhere that is not needed is an idiot. Then again the typical MS "administrator" wouldn't know how to prevent that. That's why you still see tons of MS SQL worms scanning the Internet.
9
posted on
12/16/2002 8:05:25 PM PST
by
sigSEGV
To: sigSEGV
Then again the typical MS "administrator" wouldn't know how to prevent that. That's why you still see tons of MS SQL worms scanning the Internet.
Dude, I wouldn't crow too loudly. There are thousands of machines infected with the Linux Slapper worm out there.
10
posted on
12/16/2002 8:10:22 PM PST
by
Bush2000
To: Bush2000
Too bad your peer-review model failed. Badly. And using your fallback "but Microsoft has issues, too" defense is hardly comforting to the rubes who got screwed by MySQL intrusions ...All peer-reviews models fail. I'd be interested in seeing how many actual hacks occurred during the brief period when this was known. I suppose you think we should all code in 'access' for lightweight databases.
Mean time betwen fixes is still =much= smaller for Open Source. I'll also be willing to bet that the fix requires not a single system reboot.
11
posted on
12/16/2002 8:10:43 PM PST
by
zeugma
To: zeugma
I'd be interested in seeing how many actual hacks occurred during the brief period when this was known.
Who cares about "the brief period when this was known". I'd be more concerned about the period before anybody knew about it -- the time during which MySQL boxes were wide-open to attackers.
Mean time betwen fixes is still =much= smaller for Open Source.
That's so comforting. Too bad it says nothing about the quality (or lack) of the code in the first place.
I'll also be willing to bet that the fix requires not a single system reboot.
So what. SQL Server wouldn't require a reboot either. You stop and restart the service. Done.
12
posted on
12/16/2002 8:13:03 PM PST
by
Bush2000
To: zeugma
Also there's the fact that if you happen to be a programmer yourself, you can fix any bugs you find immediately and don't have to wait for the original developer to do so.
To: thoughtomator
Also there's the fact that if you happen to be a programmer yourself, you can fix any bugs you find immediately and don't have to wait for the original developer to do so.
Also there's the fact that if you happen to be a hacker yourself, you can exploit bugs you find immediately and don't have to wait for the original developer to do so.
14
posted on
12/16/2002 8:18:47 PM PST
by
Bush2000
.
To: Bush2000
You stop and restart the service. Done. Speaking as a SQL Server DBA of some years (maybe 8 now) experience I have to say, not always true. At least a couple of the last few hotfix items required a restart of the whole server. I try not to upgrade without some serious independent assessment because in more than one case the security fix rendered the server open kimono.
I'm not going to participate in this asinine feckfest, but it seems to me if Microsoft declared home-made Pastrami sandwiches a threat to innovation some folks would be loudly touting the virtues of Microsoft Pastrami over the depravity of home cooking every time a sandwich spoiled....
16
posted on
12/16/2002 8:42:07 PM PST
by
no-s
To: Bush2000
Dude...you really got a thing for Linux. What's up with that? Oh let me guess.....you got one huge stake in MSFT........;>)
Psssst....word up dog....you might wanna yank it real soon.....
No...No...I meant the MSFT...
17
posted on
12/16/2002 8:52:33 PM PST
by
hove
To: Bush2000
Oh so this one instance of a security hole somehow makes the NUMEROUS problems found in Microsoft gear? Give me a break. When the big Apache bug was posted they had a fix out the next day. Microsoft hides their flaws from the public until they have a patch ready god only knows how long after they are notified.
Network security is only as good as the network admin anyways. Who are you going to trust? Some pimply face 25 year old with a brand new MCSE cert that proves he can buy a book on test taking and pass a pretty standard test? Or someone with a library of Orielly books on Unix....
Winders is ok. But Unix is where real men play...
To: Bush2000
Who knows how much data was lifted all this time ... Considering that MySQL is lightweight and lacks the sorts of transaction and data integrity controls found in full-blown database management systems (many critics refuse to call MySQL a real DBMS), it is largely used for applications where the data doesn't need much protection. Who really cares if someone lifts all the data off of a public message board? And you shouldn't be storing things like passwords in plain text, anyway. If you want a more fully featured open source database, try PostgreSQL. If that's not good enough for you and you really have a commercial software fetish, you can always run Oracle, Informix, DB2, or the (now open) SAP database on a Linux server.
To: Bush2000
That's so comforting. Too bad it says nothing about the quality (or lack) of the code in the first place. MySQL is a lightweight database that doesn't allow integrity constraints or triggers and only recently added some transaction control. It isn't even considered a real DBMS by most hard-core database people. It's claim to fame is that it is fast and easy. But it is hardly the only open source database out there.
By the way, what is your opinion of formerly commercial software released into the open-source community such as AOL Server and the SAP DB? I suppose you have a problem with the code used to run AOL's web services and the code used for SAP products, too?
Navigation: use the links below to view more comments.
first 1-20, 21-38 next last
Disclaimer:
Opinions posted on Free Republic are those of the individual
posters and do not necessarily represent the opinion of Free Republic or its
management. All materials posted herein are protected by copyright law and the
exemption for fair use of copyrighted works.
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson