MySQL open to attack [No, make that TheirSQL]

ZDNet ^ | 16 December 2002 | Patrick Gray

[Bush2000]

MySQL open to attack [No, make that Their SQL]

By Patrick Gray, ZDNet Australia
16 December 2002

Several vulnerabilities have been found in the MySQL database system, a light database package commonly used in Linux environments but which runs also on Microsoft platforms, HP-Unix, Mac OS and more. E-matters, a German company, released a security advisory after discovering the security flaws. They have rated the vulnerabilities as "Medium to Critical" in severity.

The security flaws discovered by the company range from Denial of Service (DoS) problems to more serious issues.

"...one of the flaws can be used to bypass the MySQL password check or to execute arbitrary code," the advisory said.

E-matters also found multiple vulnerabilities in the MySQL client libraries, which "...could allow DoS attacks against or arbitrary code execution within anything linked against libmysqlclient."

The vulnerabilities affect all versions prior to 3.23.53a and 4.0.5a. MySQL have released an updated "version 3" (3.23.54) that is immune to the security bugs.

It is not known when an updated "version 4" MySQL will be released.

E-matters will not be releasing an exploit for the vulnerability.

[Bush2000]

Once more, with feeling ... tell me how superior open source development methodology is ...

[mikenola]

Vendor Response

03. December 2002 Vendor was contacted by email.

04. December 2002 Vendor informs me that bugs are fixed and that they started building new packages.

12. December 2002 Vendor has released MySQL 3.23.54 which fixes these vulnerabilities.

[sigSEGV]

Call me when I see thousands of port 3306 scans on the Internet.

[Incorrigible]

Sigh!  I'd be so nice if FR used SQL Server...

[Bush2000]

Pity that the "vulnerabilities affect all versions prior to 3.23.53a and 4.0.5a". Who knows how much data was lifted all this time ...

[bcoffey]

"Once more, with feeling ... tell me how superior open source development methodology is ... "

See #2... in the mean time, I'm still waiting on that "other" company to acknowledge - much less fix - several know security flaws. Oh well.

[Bush2000]

Call me when I see thousands of port 3306 scans on the Internet.

LMFAO! Tsk, tsk. The issue isn't Internet-based MySQL servers, dude, and you know it. Nobody exposes their MySQL or SQL Server or Oracle boxes directly on the Internet (unless they're truly morons). Nope, the issue here is intranet-based hacking. MySQL is wide-open. This is pathetic.

[Bush2000]

See #2... in the mean time, I'm still waiting on that "other" company to acknowledge - much less fix - several know security flaws. Oh well.

Too bad your peer-review model failed. Badly. And using your fallback "but Microsoft has issues, too" defense is hardly comforting to the rubes who got screwed by MySQL intrusions ...

[sigSEGV]

Anybody that allows connection attempts to an SQL server port from somewhere that is not needed is an idiot. Then again the typical MS "administrator" wouldn't know how to prevent that. That's why you still see tons of MS SQL worms scanning the Internet.

[Bush2000]

Then again the typical MS "administrator" wouldn't know how to prevent that. That's why you still see tons of MS SQL worms scanning the Internet.

Dude, I wouldn't crow too loudly. There are thousands of machines infected with the Linux Slapper worm out there.

[zeugma]

Too bad your peer-review model failed. Badly. And using your fallback "but Microsoft has issues, too" defense is hardly comforting to the rubes who got screwed by MySQL intrusions ...

All peer-reviews models fail. I'd be interested in seeing how many actual hacks occurred during the brief period when this was known. I suppose you think we should all code in 'access' for lightweight databases.

Mean time betwen fixes is still =much= smaller for Open Source. I'll also be willing to bet that the fix requires not a single system reboot.

[Bush2000]

I'd be interested in seeing how many actual hacks occurred during the brief period when this was known.

Who cares about "the brief period when this was known". I'd be more concerned about the period before anybody knew about it -- the time during which MySQL boxes were wide-open to attackers.

Mean time betwen fixes is still =much= smaller for Open Source.

That's so comforting. Too bad it says nothing about the quality (or lack) of the code in the first place.

I'll also be willing to bet that the fix requires not a single system reboot.

So what. SQL Server wouldn't require a reboot either. You stop and restart the service. Done.

[thoughtomator]

Also there's the fact that if you happen to be a programmer yourself, you can fix any bugs you find immediately and don't have to wait for the original developer to do so.

[Bush2000]

Also there's the fact that if you happen to be a programmer yourself, you can fix any bugs you find immediately and don't have to wait for the original developer to do so.

Also there's the fact that if you happen to be a hacker yourself, you can exploit bugs you find immediately and don't have to wait for the original developer to do so.

[ShadowAce]

.

[no-s]

You stop and restart the service. Done.

Speaking as a SQL Server DBA of some years (maybe 8 now) experience I have to say, not always true. At least a couple of the last few hotfix items required a restart of the whole server. I try not to upgrade without some serious independent assessment because in more than one case the security fix rendered the server open kimono.

I'm not going to participate in this asinine feckfest, but it seems to me if Microsoft declared home-made Pastrami sandwiches a threat to innovation some folks would be loudly touting the virtues of Microsoft Pastrami over the depravity of home cooking every time a sandwich spoiled....

[hove]

Dude...you really got a thing for Linux. What's up with that? Oh let me guess.....you got one huge stake in MSFT........;>)

Psssst....word up dog....you might wanna yank it real soon.....

No...No...I meant the MSFT...

[Orblivion]

Oh so this one instance of a security hole somehow makes the NUMEROUS problems found in Microsoft gear? Give me a break. When the big Apache bug was posted they had a fix out the next day. Microsoft hides their flaws from the public until they have a patch ready god only knows how long after they are notified.

Network security is only as good as the network admin anyways. Who are you going to trust? Some pimply face 25 year old with a brand new MCSE cert that proves he can buy a book on test taking and pass a pretty standard test? Or someone with a library of Orielly books on Unix....

Winders is ok. But Unix is where real men play...

[Question_Assumptions]

Who knows how much data was lifted all this time ...

Considering that MySQL is lightweight and lacks the sorts of transaction and data integrity controls found in full-blown database management systems (many critics refuse to call MySQL a real DBMS), it is largely used for applications where the data doesn't need much protection. Who really cares if someone lifts all the data off of a public message board? And you shouldn't be storing things like passwords in plain text, anyway. If you want a more fully featured open source database, try PostgreSQL. If that's not good enough for you and you really have a commercial software fetish, you can always run Oracle, Informix, DB2, or the (now open) SAP database on a Linux server.

[Question_Assumptions]

That's so comforting. Too bad it says nothing about the quality (or lack) of the code in the first place.

MySQL is a lightweight database that doesn't allow integrity constraints or triggers and only recently added some transaction control. It isn't even considered a real DBMS by most hard-core database people. It's claim to fame is that it is fast and easy. But it is hardly the only open source database out there.

By the way, what is your opinion of formerly commercial software released into the open-source community such as AOL Server and the SAP DB? I suppose you have a problem with the code used to run AOL's web services and the code used for SAP products, too?