posted on Monday, October 11, 2004 8:59 PM
by
stefandemetz
Myth debunking: SQL Server vs MySQL security 2003-2004(SQL Server has less bugs !!)
MS SQL Server (or MSDE) vs MySQL
Seems that yet again a MS product has less bugs that the corresponding LAMP product (here are unscientific reports for ASP.NET vs PHP and IIS6 vs APACHE)
MSSQL 2003 12
MySQL 2003 12 + 1 multiple (2003-10-30: MySQL Multiple Vulnerabilities )
MSSQL 2004 3
MySQL 2004 8
Am sure everybody will get (yet again) into splitting hairs as which is more or less secure, depending on
lines of code, number of installations, Service Packs vs latest build, etc etc
This is the list:
2004-10-07: MySQL MaxDB WebDBM Server Name Denial of Service Vulnerability
2004-09-30: MySQL Unspecified Insecure Temporary File Creation Vulnerability
2004-09-27: MySQL Bounded Parameter Statement Execution Remote Buffer Overflow Vulnerability
2004-09-07: MySQL Mysqlhotcopy Script Insecure Temporary File Creation Vulnerability
2004-07-08: MySQL Authentication Bypass Vulnerability
2004-07-05: MySQL Password Length Remote Buffer Overflow Vulnerability
2004-05-25: MySQL MYSQLD_Multi Insecure Temporary File Creation Vulnerability
2004-05-25: MySQL Aborted Bug Report Insecure Temporary File Creation Vulnerability
2003-11-24: MySQL Password Handler Buffer Overflow Vulnerability
2003-10-30: MySQL Multiple Vulnerabilities
2003-09-18: MySQL mysqld Privilege Escalation Vulnerability
2003-09-18: MySQL Double Free Heap Corruption Vulnerability
2003-07-22: MySQL AB ODBC Driver Plain Text Password Vulnerability
2003-06-12: MySQL libmysqlclient Library mysql_real_connect() Buffer Overrun Vulnerability
2003-05-12: MySQL COM_CHANGE_USER Password Memory Corruption Vulnerability
2003-05-12: MySQL libmysqlclient Library Read_One_Row Buffer Overflow Vulnerability
2003-05-12: MySQL COM_CHANGE_USER Password Length Account Compromise Vulnerability
2003-05-12: MySQL libmysqlclient Library Read_Rows Buffer Overflow Vulnerability
2003-05-12: MySQL COM_TABLE_DUMP Memory Corruption Vulnerability
2003-05-05: MySQL Weak Password Encryption Vulnerability
2003-03-07: MySQL Control Center Insecure Default File Permission Vulnerability
2004-08-24: Microsoft SQL Server User Authentication Remote Buffer Overflow Vulnerability
2004-04-14: Microsoft Remote Procedure Call Service DoS Vulnerability
2004-04-07: Microsoft SQL Server 2000 Resolution Service Stack Overflow Vulnerability
2003-07-25: Microsoft SQL Server / MSDE Named Pipes Privilege Escalation Vulnerability
2003-07-25: Microsoft SQL Server LPC Port Request Buffer Overflow Vulnerability
2003-07-25: Microsoft SQL Server / MSDE Named Pipe Denial Of Service Vulnerability
2003-07-25: Microsoft SQL Server / MSDE Multiple Vulnerabilities
2003-07-15: Microsoft SQL Server JET Database Engine 4.0 Buffer Overrun Vulnerability
2003-06-16: Microsoft SQL Server 2000 Resolution Service Heap Overflow Vulnerability
2003-06-04: Microsoft SQL MS Jet Engine Unicode Buffer Overflow Vulnerability
2003-02-01: Microsoft SQL Server 7.0/2000 DBCC Buffer Overflow Vulnerability
2003-02-01: Microsoft SQL Agent Jobs Privilege Elevation Vulnerability
2003-02-01: Microsoft SQL Server Extended Stored Procedure Privilege Elevation Vulnerability
2003-01-27: Microsoft SQL Server Web Task Stored Procedure Privilege Escalation Vulnerability
2003-01-25: Microsoft SQL Server 2000 Bulk Insert Procedure Buffer Overflow Vulnerability
(Figues provided by http://www.securityfocus.com/bid/vendor/)