http://mysql.com/customers/customer.php?id=38%20AND%201=1

imho very funny ;-)
webmaster got informed, fulldisc-list will be noticed asap after webmaster replied

cheers alf

Cool, can you only perform logical stuff? or also potential dangerous ones?

hm i mean i'm no database guru, but if my "logical stuff" is executed, i could find out the table_name and DROP the table, if you find out the users table then you'll probably be able to get passwords (hashes). but thats quite much work i think


cheers

It depends if they only allow certain logical selections, could be usefull in some cases. You could try to select tha db user, or try to count rows :) pretty harmless. But, I think it's better not try it out ^^ I'm interested what they have to say about it, do you post their reply?

If one were able to add new data into tables (say the one for forums or such), would it be possible to add PHP in which performs system() commands when parsed, then just access the data normally by browsing for it. Or would PHP not work like this and just return <?php evilness here ?> to the client?

It's possible to run system commands, in MySQL with PHP, but in SQL server it's far more dangerous, you can do alot more with simple vectors. Protecting a SQL server is a huge task. It's also possible to move records, copy and transfer it to another record, loading the boot.ini and every Windows system file. so yes it can be done.

Thank you for contacting MySQL AB,

We have fixed this, thanks again for pointing it out to us.


Hope this helps,

MySQL Web Team
---------------------------------------------------------------------

nah, 2 sentences, I hoped for more :(

cheers alf

Damn... a tad less I hoped for. Pretty weak reply certainly considering that they 'fixed' it. I really thought they would alow a few vectors pass, and respond that they 'knew'.

Hahah... that's what we call "irony". Very nice find. Too bad they weren't more gracious - you really did them a favor by responsible disclosure. More than a bad guy would have done that's for sure.

- RSnake
Gotta love it. http://ha.ckers.org

http://www.mysql.com/customers/customer.php?id=44%22%3C%3E

(check out different lang links, right most corner)
it is rendering into page source, but i dnt hv much time nw to play with it...
hope you ppl may find something ??
i wont say it is vulnerable to xss (hvnt tested much), but you ppl may find something out of the box.

- sn|ff

It is vulnerable but only in Internet Explorer (Firefox and Opera will escape the quotes):

http://www.mysql.com/customers/customer.php?id=44"/style="xss:expression(alert('xss'))"

hahaha!!
after sql injection, itz xss flaw
nybdy care to report thm????

- sn|ff

http://www.mysql.de/company/contact/sales.html?s=%22%3Cscript%3Ealert(123);%3C/script%3E

there are sooo many of them...
lol

- sn|ff

Nah, I wouldn't waste your time. They weren't exactly gracious last time someone reported it to them. I don't think they're ready to admit they don't take security seriously.

- RSnake
Gotta love it. http://ha.ckers.org

pOtTi Wrote:
-------------------------------------------------------
> http://www.mysql.de/company/contact/sales.html?s=%
> 22%3Cscript%3Ealert(123);%3C/script%3E


I realize me asking this is a result of my complete ignorance, but I don't understand what potential that has. I understand writing Javascript to a page and using AJAX/GET to retrieve cookies and such. These URL suffixes baffle me. I can see is an alert as I run the page. How can that possibly effect anyone else who visits a page? They're never going to open that URL unless you send it to them. I know there's a reason and I see these all over on Secunia. I just don't know what it can do.
Thank you for any information.

They don't need to visit mysql.de, it is enough if they visit your site (or some site you hacked). You load a specially prepared mysql.de URL in a hidden frame - and now you are running JavaScript code in the context of mysql.de with the privileges of this user. Of course you can send the same URL with spam or post it to a forum - doesn't matter as long as you can get people to going there.

Ahhh wow, interesting. I never thought of that.

I have to apologise for the curt reply, it wasn't intended to be ungracious, merely to let you know that we do appreciate your efforts and that we used the information to fix the problem. I think you may be reading far too much into the message.

We do take security seriously, and appreciate all the information received from the community. Please, keep up the good work.

Adam Donnison
Senior Web Developer, MySQL AB.

they fix the error in the web site already

inyection sql and csrf in forum (phorum)

http://forums.mysql.com/control.php

POST /control.php HTTP/1.1
Host: forums.mysql.com
User-Agent: Bender-Agent Alpha Beta Final 0.00001
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: es-cl,es;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Cookie: [My Cookie]
Content-Type: application/x-www-form-urlencoded
Content-Length: 54

forum_id=0&panel=sig&panel=sig&forum_id=0&signature=xx

in signature, delete account, change mail, etc etc.



Edited 1 time(s). Last edit at 11/12/2009 09:55PM by WHK.

There are a couple on the main page as well.