Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 569
Alerts This Week
Warning Icon 1 569

MySQL Advisory: Blind SQL Injection Threat to Database Access

General Esm H446
On a security mailing list over the weekend, an unknown party published details about the structure and content of databases on the website of database vendor MySQL. The information was apparently accessible via a security hole on the MySQL.com website. The hacker says the vulnerability is a blind SQL injection problem. This is a worst case scenario for a web server because the flaw allows access to the entire database behind a public-facing website. SQL injections are possible when SQL commands can be embedded in user input so that Web servers pass them on to the database.

Blind SQL injection means that the result of the database operation is not displayed; in other words, the attacker has to work blindly. In such cases, hackers therefore often ask the database yes/no questions and link one of the answers to a time-consuming operation. Depending on how long it takes the resulting page to appear, they can then tell what the response to the query was.

The link for this article located at H Security is no longer available.