The Enterprise Attack Surface Has Grown Exponentially with Boom in Remote Work. Monitor & Protect It. - Learn More


Ready to Get

Contact Sales

New MySQL-Related Default Insecurity Affects 7500+ Apps

Allows for Authentication Bypass & Data Leaks

This week, an anonymous researcher discovered and reported an issue with the SphinxSearch application used with MySQL databases:

“TL;DR: SphinxSearch comes with a insecure default configuration that opens a listener on port 9306. No auth required. Connections using a mysql client are possible.”

The full report is available here.

Finding affected SphinxSearch apps in Censys

 So what could we find in our global Internet data to determine how many are affected by this issue?

TL;DR: 7,576 MySQL databases are using a default setting in the SphinxSearch application that allows for authentication bypass & data leaks

By searching our lightweight banners data set via Google BigQuery, we connected to port 9306, used exclusively for SphinxSearch, and turned that data into plain text so we could search for strings that indicate a SphinxSearch connection. Note that Port 9306 hosts the SphinxSearch application and native API.

We also found that of those affected devices, the majority were hosted in Russia, followed by the United States: 

 Enterprise customers can use the following BigQuery search to find exposed applications:


   SELECT ip, SAFE_CONVERT_BYTES_TO_STRING(svcs.banner) as banner

   FROM `censys-pipeline.ipv4_banners.20190819`, UNNEST(services) AS svcs

   WHERE svcs.port_number = 9306


WHERE (banner LIKE '%-id64-%'

      OR banner LIKE '%-release%'

      OR banner LIKE '%commit%'

      OR banner LIKE '%mysql_%')

 AND banner NOT LIKE '%mysql_native_password%'

 AND banner NOT LIKE '%mysqladmin%

 The following screenshot includes some comments about how we performed the search that we hope will be useful to our users:

How to secure affected Sphinx apps

Luckily, the researcher also included the fix, and shows readers how to change the problematic default setting:

 “Just go to your SphinxSearch configuration and edit the listen variable to include only localhost or put a (host) firewall like iptables in front of your installation.”

Also included in the original post are some helpful screenshots describing the vulnerability and the fix.

Make sure to follow us on Twitter @censysio to see more findings like these. We’d also love to hear how you’re using our data, so don’t forget to tag us when you post about your research and findings!

Stay up to date

To get regular news about product updates, user guides, and security tips, send us your email. You can unsubscribe at any time.

Ready to Get Started?

Get a real-time view of all your organization's assets so you can proactively prevent threats.