Telstra has revealed the addition of almost one million new mobile services in the six months to December 2011, but Sensis revenues plummeted 24 percent in 12 months.
Vulnerability CVE-2006-2753 describes an SQL injection vulnerability in versions of MySQL 4.1.x before version 4.1.20 and versions 5.0.x before 5.0.22 – which certainly covers our target version 5.0.15.
SQL injection is particularly nasty; it allows an application user to enter input data which will be inserted directly into a database SQL query. If, for instance, a program prompts for a username and password and you know it is using an SQL query to look up the credentials you can try and enter a password such that you will be able to log in every time.
Imagine the query used is
SELECT * FROM Users WHERE Username = ‘<Username>’ AND Password = ‘<Password>’
where <Username> and <Password> are the values input by the user. If the Username entered is
admin’ #
then the query becomes
SELECT * FROM Users WHERE Username = ‘admin’ #’ AND Password=’<Password>’
Simply put, this means the database query will actually ignore the password because the # indicates everything following is purely a comment and is not a real part of the statement. So, the query just lets the user log in as user admin aithout requiring a valid password at all.
A recent episode of the brilliant xkcd comic strip illustrated SQL injection. I still laugh when I think of “Little Bobby Tables.”
So then, we know immediately an SQL injection is possible in MySQL version 5.0.15 (and others). It isn’t as simple as the example above; this vulnerability requires the arbitrary SQL commands be entered into special multibyte characters and this requires some expertise. Really, the underlying problem is that a function – mysql_real_escape – had a flaw and did not correctly parse multibyte character sets, and this can be exploited.
Although it requires some tech savvy to use, this vulnerability is pernicious because the cracker does not need any network access to the MySQL server save that provided by a front-end application which may well be an Internet available web site.
If SQL injection is possible there is no real limit to what an attacker can do. One possibility is not even anything actually to do with the database. MySQL offers a function LOAD_FILE which returns a string containing the contents of any file on the system. Thus
SELECT LOAD_FILE(‘/etc/passwd’);
will display the contents of the /etc/passwd file, revealing all user accounts on the system. Additionally, it’s possible to write files on the server using the SELECT ... INTO OUTFILE statement. So, via a MySQL exploit, a wiley cracker can even add a login to your system or modify any other file thus subverting the system further.
Looking at the list of MySQL security holes in the past we can see many which are troubling; versions 5.0.0-2 and 4.1.3 fixed a flaw where database authentication could be bypassed via a zero-length string. Another problem on Windows platforms saw MySQL user passwords being stored in plain text in a file called my.ini; if this file could be read then passwords were exposed.
David Bass
| For the fourth year in a row, IDC has placed content security provider Websense (NASDAQ: WBSN) at the top of the IDC Worldwide Web Security 2011 –…
How to Make Business Discovery Work for Your Business
Business Discovery takes its cues from consumer apps. Like Google, it encourages us- ers to hunt for and explore data without worrying about or even noticing the underly- ing technology. Their entire experience is working within an intuitive interface to get real-time, self-service results with only minimal training. ...more
Try an easy-to-use set of web-enabled
tools for business-class productivity services. Office 365 provides
anywhere-access to email, important documents, contacts, and calendars
on almost any device.
