Free Republic
Browse · Search
News/Activism
Topics · Post Article

Skip to comments.

MySQL open to attack [No, make that TheirSQL]
ZDNet ^ | 16 December 2002 | Patrick Gray

Posted on 12/16/2002 7:48:02 PM PST by Bush2000

MySQL open to attack [No, make that Their SQL]

By Patrick Gray, ZDNet Australia
16 December 2002

Several vulnerabilities have been found in the MySQL database system, a light database package commonly used in Linux environments but which runs also on Microsoft platforms, HP-Unix, Mac OS and more. E-matters, a German company, released a security advisory after discovering the security flaws. They have rated the vulnerabilities as "Medium to Critical" in severity.

The security flaws discovered by the company range from Denial of Service (DoS) problems to more serious issues.

"...one of the flaws can be used to bypass the MySQL password check or to execute arbitrary code," the advisory said.

E-matters also found multiple vulnerabilities in the MySQL client libraries, which "...could allow DoS attacks against or arbitrary code execution within anything linked against libmysqlclient."

The vulnerabilities affect all versions prior to 3.23.53a and 4.0.5a. MySQL have released an updated "version 3" (3.23.54) that is immune to the security bugs.

It is not known when an updated "version 4" MySQL will be released.

E-matters will not be releasing an exploit for the vulnerability.


TOPICS: Business/Economy; Technical
KEYWORDS: mysql
Navigation: use the links below to view more comments.
first 1-2021-38 next last
Once more, with feeling ... tell me how superior open source development methodology is ...
1 posted on 12/16/2002 7:48:02 PM PST by Bush2000
[ Post Reply | Private Reply | View Replies]

To: Bush2000

Vendor Response

03. December 2002 Vendor was contacted by email.

04. December 2002 Vendor informs me that bugs are fixed and that they started building new packages.

12. December 2002 Vendor has released MySQL 3.23.54 which fixes these vulnerabilities.

2 posted on 12/16/2002 7:53:35 PM PST by mikenola
[ Post Reply | Private Reply | To 1 | View Replies]

To: Bush2000
Call me when I see thousands of port 3306 scans on the Internet.
3 posted on 12/16/2002 7:54:23 PM PST by sigSEGV
[ Post Reply | Private Reply | To 1 | View Replies]

To: Bush2000
Sigh!  I'd be so nice if FR used SQL Server...
4 posted on 12/16/2002 7:57:16 PM PST by Incorrigible
[ Post Reply | Private Reply | To 1 | View Replies]

To: mikenola
Pity that the "vulnerabilities affect all versions prior to 3.23.53a and 4.0.5a". Who knows how much data was lifted all this time ...
5 posted on 12/16/2002 7:57:31 PM PST by Bush2000
[ Post Reply | Private Reply | To 2 | View Replies]

To: Bush2000
"Once more, with feeling ... tell me how superior open source development methodology is ... "

See #2... in the mean time, I'm still waiting on that "other" company to acknowledge - much less fix - several know security flaws. Oh well.

6 posted on 12/16/2002 7:59:14 PM PST by bcoffey
[ Post Reply | Private Reply | To 1 | View Replies]

To: sigSEGV
Call me when I see thousands of port 3306 scans on the Internet.

LMFAO! Tsk, tsk. The issue isn't Internet-based MySQL servers, dude, and you know it. Nobody exposes their MySQL or SQL Server or Oracle boxes directly on the Internet (unless they're truly morons). Nope, the issue here is intranet-based hacking. MySQL is wide-open. This is pathetic.
7 posted on 12/16/2002 8:00:02 PM PST by Bush2000
[ Post Reply | Private Reply | To 3 | View Replies]

To: bcoffey
See #2... in the mean time, I'm still waiting on that "other" company to acknowledge - much less fix - several know security flaws. Oh well.

Too bad your peer-review model failed. Badly. And using your fallback "but Microsoft has issues, too" defense is hardly comforting to the rubes who got screwed by MySQL intrusions ...
8 posted on 12/16/2002 8:01:51 PM PST by Bush2000
[ Post Reply | Private Reply | To 6 | View Replies]

To: Bush2000
Anybody that allows connection attempts to an SQL server port from somewhere that is not needed is an idiot. Then again the typical MS "administrator" wouldn't know how to prevent that. That's why you still see tons of MS SQL worms scanning the Internet.
9 posted on 12/16/2002 8:05:25 PM PST by sigSEGV
[ Post Reply | Private Reply | To 7 | View Replies]

To: sigSEGV
Then again the typical MS "administrator" wouldn't know how to prevent that. That's why you still see tons of MS SQL worms scanning the Internet.

Dude, I wouldn't crow too loudly. There are thousands of machines infected with the Linux Slapper worm out there.
10 posted on 12/16/2002 8:10:22 PM PST by Bush2000
[ Post Reply | Private Reply | To 9 | View Replies]

To: Bush2000
Too bad your peer-review model failed. Badly. And using your fallback "but Microsoft has issues, too" defense is hardly comforting to the rubes who got screwed by MySQL intrusions ...

All peer-reviews models fail. I'd be interested in seeing how many actual hacks occurred during the brief period when this was known. I suppose you think we should all code in 'access' for lightweight databases.

Mean time betwen fixes is still =much= smaller for Open Source. I'll also be willing to bet that the fix requires not a single system reboot.

11 posted on 12/16/2002 8:10:43 PM PST by zeugma
[ Post Reply | Private Reply | To 8 | View Replies]

To: zeugma
I'd be interested in seeing how many actual hacks occurred during the brief period when this was known.

Who cares about "the brief period when this was known". I'd be more concerned about the period before anybody knew about it -- the time during which MySQL boxes were wide-open to attackers.

Mean time betwen fixes is still =much= smaller for Open Source.

That's so comforting. Too bad it says nothing about the quality (or lack) of the code in the first place.

I'll also be willing to bet that the fix requires not a single system reboot.

So what. SQL Server wouldn't require a reboot either. You stop and restart the service. Done.
12 posted on 12/16/2002 8:13:03 PM PST by Bush2000
[ Post Reply | Private Reply | To 11 | View Replies]

To: zeugma
Also there's the fact that if you happen to be a programmer yourself, you can fix any bugs you find immediately and don't have to wait for the original developer to do so.
13 posted on 12/16/2002 8:13:48 PM PST by thoughtomator
[ Post Reply | Private Reply | To 11 | View Replies]

To: thoughtomator
Also there's the fact that if you happen to be a programmer yourself, you can fix any bugs you find immediately and don't have to wait for the original developer to do so.

Also there's the fact that if you happen to be a hacker yourself, you can exploit bugs you find immediately and don't have to wait for the original developer to do so.
14 posted on 12/16/2002 8:18:47 PM PST by Bush2000
[ Post Reply | Private Reply | To 13 | View Replies]

.
15 posted on 12/16/2002 8:33:22 PM PST by ShadowAce
[ Post Reply | Private Reply | To 1 | View Replies]

To: Bush2000
You stop and restart the service. Done.

Speaking as a SQL Server DBA of some years (maybe 8 now) experience I have to say, not always true. At least a couple of the last few hotfix items required a restart of the whole server. I try not to upgrade without some serious independent assessment because in more than one case the security fix rendered the server open kimono.

I'm not going to participate in this asinine feckfest, but it seems to me if Microsoft declared home-made Pastrami sandwiches a threat to innovation some folks would be loudly touting the virtues of Microsoft Pastrami over the depravity of home cooking every time a sandwich spoiled....

16 posted on 12/16/2002 8:42:07 PM PST by no-s
[ Post Reply | Private Reply | To 12 | View Replies]

To: Bush2000
Dude...you really got a thing for Linux. What's up with that? Oh let me guess.....you got one huge stake in MSFT........;>)

Psssst....word up dog....you might wanna yank it real soon.....

No...No...I meant the MSFT...

17 posted on 12/16/2002 8:52:33 PM PST by hove
[ Post Reply | Private Reply | To 1 | View Replies]

To: Bush2000
Oh so this one instance of a security hole somehow makes the NUMEROUS problems found in Microsoft gear? Give me a break. When the big Apache bug was posted they had a fix out the next day. Microsoft hides their flaws from the public until they have a patch ready god only knows how long after they are notified.

Network security is only as good as the network admin anyways. Who are you going to trust? Some pimply face 25 year old with a brand new MCSE cert that proves he can buy a book on test taking and pass a pretty standard test? Or someone with a library of Orielly books on Unix....

Winders is ok. But Unix is where real men play...

18 posted on 12/16/2002 8:57:43 PM PST by Orblivion
[ Post Reply | Private Reply | To 1 | View Replies]

To: Bush2000
Who knows how much data was lifted all this time ...

Considering that MySQL is lightweight and lacks the sorts of transaction and data integrity controls found in full-blown database management systems (many critics refuse to call MySQL a real DBMS), it is largely used for applications where the data doesn't need much protection. Who really cares if someone lifts all the data off of a public message board? And you shouldn't be storing things like passwords in plain text, anyway. If you want a more fully featured open source database, try PostgreSQL. If that's not good enough for you and you really have a commercial software fetish, you can always run Oracle, Informix, DB2, or the (now open) SAP database on a Linux server.

19 posted on 12/16/2002 8:58:16 PM PST by Question_Assumptions
[ Post Reply | Private Reply | To 5 | View Replies]

To: Bush2000
That's so comforting. Too bad it says nothing about the quality (or lack) of the code in the first place.

MySQL is a lightweight database that doesn't allow integrity constraints or triggers and only recently added some transaction control. It isn't even considered a real DBMS by most hard-core database people. It's claim to fame is that it is fast and easy. But it is hardly the only open source database out there.

By the way, what is your opinion of formerly commercial software released into the open-source community such as AOL Server and the SAP DB? I suppose you have a problem with the code used to run AOL's web services and the code used for SAP products, too?

20 posted on 12/16/2002 9:08:13 PM PST by Question_Assumptions
[ Post Reply | Private Reply | To 12 | View Replies]


Navigation: use the links below to view more comments.
first 1-2021-38 next last

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
News/Activism
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson