Writing

Feed Software, technology, sysadmin war stories, and more.

Saturday, December 24, 2011

Raw MySQL access over the Internet is a bad idea

Okay, I'm going to have to pat myself on the back for some great timing here. Back on Wednesday, I wrote a post about how you should stick a stateful server in front of that database. The idea there was to make it so that your clients could just speak to it with high-level commands so that they wouldn't need to know about the database's language, schema, and so on.

Little did I know that a great post would land on Hacker News a couple of days later: Super Meat Boy leaves database wide open.

I'll summarize for anyone who doesn't want to read through the comments at HN or the SA post: they made a program with the MySQL client code baked in, and hardcoded a username+password combo. Then they had it phone home over the Internet to talk raw MySQL directly to them, and it had write access to the tables!

Needless to say, people had a great time exploiting it.

In case it isn't obvious, I'll just say it clearly: exposing your database server to the outside world, no matter what type it is, is usually a very bad idea. Find some other way to mediate access to it. Your users and future maintenance sysadmin types will thank you.