Raw MySQL access over the Internet is a bad idea
source link: http://rachelbythebay.com/w/2011/12/24/timing/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
Raw MySQL access over the Internet is a bad idea
Okay, I'm going to have to pat myself on the back for some great timing here. Back on Wednesday, I wrote a post about how you should stick a stateful server in front of that database. The idea there was to make it so that your clients could just speak to it with high-level commands so that they wouldn't need to know about the database's language, schema, and so on.
Little did I know that a great post would land on Hacker News a couple of days later: Super Meat Boy leaves database wide open.
I'll summarize for anyone who doesn't want to read through the comments at HN or the SA post: they made a program with the MySQL client code baked in, and hardcoded a username+password combo. Then they had it phone home over the Internet to talk raw MySQL directly to them, and it had write access to the tables!
Needless to say, people had a great time exploiting it.
In case it isn't obvious, I'll just say it clearly: exposing your database server to the outside world, no matter what type it is, is usually a very bad idea. Find some other way to mediate access to it. Your users and future maintenance sysadmin types will thank you.
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK