Brian "Krow" Aker (krow) wrote,
Brian "Krow" Aker

Worms, oh yeah....

Came across this post this morning:

The Title is "Are you prepared for the attack of the MySQL worm?"

With all of the real security issues that exist on the Internet I dislike seeing people dream this stuff up.

The author mentions have a piece of SQL inject itself into an event (which you don't need, this could be done with a stored procedure and a sleep() call), and a Federated table.

Let us talk about why this is a non issue:

  • Databases do not live on the Internet. They live behind firewalls where access is strictly controlled. Databases are not mail servers, web servers, or finger servers. People do not allow others to access their databases directly.

  • Databases do not know about other databases. Sure, you could scan for other databases, but email worms work in large part because of the information they get from local addressbooks. The internet is pretty big... local VPN's are frequently large as well.

  • No one sane lets users run arbitrary SQL on a database. Applications execute SQL. Its not that you click on a message in your email and it suddenly your database executes SQL. Could you dream something like that up? Sure, but pin pointing a DBA with just this sort of access from their local computer? Someone would need to type arbitrary SQL into the database in the first place. If you have someone like this working for you, then you have a different concern to address.

    One other question you should ask, why hasn't this happened before?

    Postgres has their DBI based federation, SQL Server has its own ODBC federated, and Oracle has its database link technology. Federating connections is nothing new. Using UDFs, which most vendors have, can be used to create more interesting problems.

    Worry about cross scripting attacks, spend time making sure you lock down the ports you make available to the world... teach people to use good passwords and to not click on executables in their email!

    I am more concerned about blue tooth viruses infecting the cars around me :)
  • Subscribe
    • Post a new comment


      Comments allowed for friends only

      Anonymous comments are disabled in this journal

      default userpic

      Your reply will be screened

      Your IP address will be recorded