On a security mailing list over the weekend, an unknown party published details about the structure and content of databases on the website of database vendor MySQL. The information was apparently accessible via a security hole on the MySQL.com website.
The hacker says the vulnerability is a blind SQL injection problem. This is a worst case scenario for a web server because the flaw allows access to the entire database behind a public-facing website. SQL injections are possible when SQL commands can be embedded in user input so that Web servers pass them on to the database.

Blind SQL injection means that the result of the database operation is not displayed; in other words, the attacker has to work blindly. In such cases, hackers therefore often ask the database yes/no questions and link one of the answers to a time-consuming operation. Depending on how long it takes the resulting page to appear, they can then tell what the response to the query was.

The link for this article located at H Security is no longer available.