SQL Injection Attacks Hit Sun.com And MySQL.com

The same hackers who exposed all the databases running on MySQL.com attacked Sun.com.

The Rumanian hackers, “TinKode” and “Ne0h” compromised two Sun subdomains, including www.reman.sun.com and www.ibb.sun.com, according to a blog post on March 27. Using a SQL injection attack, TinKode was able to obtain table names, column names and email addresses stored in one of the tables. It is not clear at this point whether TinKode compromised any passwords on the Sun.com site or if this information is being held back for some reason.

TinKode has been busy in recent days going after MySQL databases. According to TinKode’s Bay Words blog, TinKode used the SQL injection attack on MySQL.com March 27 and on ESET’s Rumanian page March 20.

Site Coding Not Database At Fault

The problem was not with the open-source database software, but with the way the Website was coded, Chester Wisniewski, a Sophos senior security advisor, wrote on the Naked Security blog.

In the blind SQL injection attack on MySQL.com, the same hackers managed to expose database names, tables, columns, user accounts and passwords. Along with administrator passwords for the databases, the hackers managed to expose expose WordPress blog passwords that had been stored in the tables.

It is not clear whether the same vulnerability existed on both sites. SQL injection vulnerabilities allow remote attackers to compromise databases through the Website by inserting malicious SQL code into input fields, such as Web forms. If the application does not handle the code correctly, it is passed to the database, which executes the command and returns the results to the browser for the attacker to see.

“Auditing your Websites for SQL injection is an essential practice, as well as using secure passwords,” Wisniewski wrote. “Either can lead you down a road that ends in tears.”

Both MySQL.com and Sun.com have a number of unfixed cross-site-scripting vulnerabilities on their sites, according to XSSed.com, where security researchers and hackers submit found XSS flaws. Both domains had issues that were discovered as recently as January. It is not clear if attackers combined the XSS flaws with the SQL injection attacks.

Organisations should regularly check their code to ensure there are no flaws, said Rafal Los, a security evangelist at HP. It is not enough to just hide SQL errors from an attacker, since these hackers used a blind SQL injection technique, where they wrote complicated code to expose little bits of the data at a time and re-created the information, Los noted.

Organisations are beginning to catch on about the importance of checking their Websites for SQL injection vulnerabilities, Los told eWEEK. Things were not “great, just better”, he said, noting that there were fewer incidents of SQL injection attacks compromising critical Websites such as banking and e-commerce sites. Most SQL injection attacks tend to be on older and less sensitive sites, he said.

Oracle is not likely to do any immediate fixing on Sun.com, as the company is moving away from using that domain. Oracle is currently redirecting all sun.com URLs to Oracle domains with “1:1 redirects where possible”, according to a March 10 post by Richard Ramsey, on the Oracle Technology Network Garage blog.

The domain had been redirecting to an Oracle site for some time, and most of the content that was on BigAdmin, OpenSolaris.com and some sections of SDN has already been migrated to the System Admin and Developer Community on the Oracle Technology Network, according to Ramsey. The blogs at blogs.sun.com will continue to function as is as Oracle builds out a similar blogging platform on oracle.com, he said. There was no word on what will happen to other subdomains, such as java.sun.com.

Oracle acquired Sun Microsystems and its entire open-source portfolio, including Java and MySQL, in April 2009. However, regulatory reviews delayed the close of the $7.4 billion buy-out until January 2010. Oracle has yet to comment or acknowledge the breach on either Sun.com or MySQL.com.