FreshPorts - VuXML

When a user is granted access to a database with a name containing an underscore and the underscore is not escaped then that user might also be able to access other, similarly named, databases on the affected system.

The problem is that the underscore is seen as a wildcard by MySQL and therefore it is possible that an admin might accidently GRANT a user access to multiple databases.

le 3.23.58_3

ge 4.* lt 4.0.21

A Red Hat advisory reports:

Oleksandr Byelkin discovered that "ALTER TABLE ... RENAME" checked the CREATE/INSERT rights of the old table instead of the new one.

Table access restrictions, on the affected MySQL servers, may accidently or intentially be bypassed due to this bug.

le 3.23.58_3

ge 4.* lt 4.0.21

Dean Ellis reported a denial of service vulnerability in the MySQL server:

Multiple threads ALTERing the same (or different) MERGE tables to change the UNION eventually crash the server or hang the individual threads.

Note that a script demonstrating the problem is included in the MySQL bug report. Attackers that have control of a MySQL account can easily use a modified version of that script during an attack.

le 3.23.58_3

ge 4.* lt 4.0.21

ge 4.1.* lt 4.1.1

MySQL reports:

A malformed password packet in the connection protocol could cause the server to crash.

ge 4.1 lt 4.1.24

ge 5.0 lt 5.0.44

ge 5.1 lt 5.1.20

A special crafted MySQL FTS request can cause the server to crash. Malicious MySQL users can abuse this bug in a denial of service attack against systems running an affected MySQL daemon.

Note that because this bug is related to the parsing of requests, it may happen that this bug is triggered accidently by a user when he or she makes a typo.

ge 4.* lt 4.0.21

SecurityFocus reports:

MySQL is prone to a security-bypass vulnerability. An attacker can exploit this issue to overwrite existing table files in the MySQL data directory, bypassing certain security restrictions.

ge 6.0 lt 6.0.5

ge 5.1 lt 5.1.24

ge 5.0 lt 5.0.67

ge 4.1 lt 4.1.22_1

Secunia reports:

MySQL have some vulnerabilities, which can be exploited by malicious users to disclose potentially sensitive information and compromise a vulnerable system.

1) An error within the code that generates an error response to an invalid COM_TABLE_DUMP packet can be exploited by an authenticated client to disclosure certain memory content of the server process.

2) A boundary error within the handling of specially crafted invalid COM_TABLE_DUMP packets can be exploited by an authenticated client to cause a buffer overflow and allows arbitrary code execution.

3) An error within the handling of malformed login packets can be exploited to disclosure certain memory content of the server process in the error messages.

gt 4.0 lt 4.0.27

gt 4.1 lt 4.1.19

gt 5.1 le 5.1.9

SecurityFocus reports:

MySQL is reported prone to an insecure temporary file creation vulnerability.

Reports indicate that an attacker that has 'CREATE TEMPORARY TABLE' privileges on an affected installation may leverage this vulnerability to corrupt files with the privileges of the MySQL process.

MySQL is reported prone to an input validation vulnerability that can be exploited by remote users that have INSERT and DELETE privileges on the 'mysql' administrative database.

Reports indicate that this issue may be leveraged to load an execute a malicious library in the context of the MySQL process.

Finally, MySQL is reported prone to a remote arbitrary code execution vulnerability. It is reported that the vulnerability may be triggered by employing the 'CREATE FUNCTION' statement to manipulate functions in order to control sensitive data structures.

This issue may be exploited to execute arbitrary code in the context of the database process.

ge 4.0.0 lt 4.0.24

ge 4.1.0 lt 4.1.10a

MySQL reports:

The vulnerability is caused due to an error when processing an empty bit-string literal and can be exploited to crash the server via a specially crafted SQL statement.

ge 5.0 lt 5.0.66

ge 5.1 lt 5.1.26

ge 6.0 lt 6.0.6

MySQL Team reports:

Additional corrections were made for the symlink-related privilege problem originally addressed. The original fix did not correctly handle the data directory pathname if it contained symlinked directories in its path, and the check was made only at table-creation time, not at table-opening time later.

ge 4.1 lt 4.1.25

ge 5.0 lt 5.0.75

ge 5.1 lt 5.1.28

ge 6.0 lt 6.0.6

There is a buffer overflow in the prepared statements API (libmysqlclient) when a statement containing thousands of placeholders is executed.

ge 4.1.0 le 4.1.4

MySQL reports:

An SQL-injection security hole has been found in multibyte encoding processing. An SQL-injection security hole can include a situation whereby when inserting user supplied data into a database, the user might inject his own SQL statements that the server will execute. With regards to this vulnerability discovered, when character set unaware escaping is used (e.g., addslashes() in PHP), it is possible to bypass it in some multibyte character sets (e.g., SJIS, BIG5 and GBK). As a result, a function like addslashes() is not able to prevent SQL injection attacks. It is impossible to fix this on the server side. The best solution is for applications to use character set aware escaping offered in a function like mysql_real_escape().

Workarounds:

One can use NO_BACKSLASH_ESCAPES mode as a workaround for a bug in mysql_real_escape_string(), if you cannot upgrade your server for some reason. It will enable SQL standard compatibility mode, where backslash is not considered a special character.

ge 5.1 le 5.1.9

ge 5.0 lt 5.0.22

ge 4.1 lt 4.1.20

The mysql_real_connect function doesn't properly handle DNS replies by copying the IP address into a buffer without any length checking. A specially crafted DNS reply may therefore be used to cause a buffer overflow on affected systems.

Note that whether this issue can be exploitable depends on the system library responsible for the gethostbyname function. The bug finder, Lukasz Wojtow, explaines this with the following words:

In glibc there is a limitation for an IP address to have only 4 bytes (obviously), but generally speaking the length of the address comes with a response for dns query (i know it sounds funny but read rfc1035 if you don't believe). This bug can occur on libraries where gethostbyname function takes length from dns's response

le 3.23.58_3

ge 4.* lt 4.0.21

le 3.23.58_3

ge 4.* lt 4.0.21

MySQL reports:

Using RENAME TABLE against a table with explicit DATA DIRECTORY and INDEX DIRECTORY options can be used to overwrite system table information by replacing the symbolic link points. the file to which the symlink points.

ge 4.1 lt 4.1.24

ge 5.0 lt 5.0.51

ge 5.1 lt 5.1.23

ge 6.0 lt 6.0.4

ORACLE reports:

Multiple SQL injection vulnerabilities in the replication code

Stack-based buffer overflow

Heap-based buffer overflow

ge 5.1 lt 5.1.67

ge 5.5 lt 5.5.29

ge 5.3 lt 5.3.12

ge 5.5 lt 5.5.29

ge 5.5 lt 5.5.29.29.4

Michal Prokopiuk reports a privilege escalation in MySQL. The vulnerability causes MySQL, when run on case-sensitive filesystems, to allow remote and local authenticated users to create or access a database when the database name differs only in case from a database for which they have permissions.

ge 5.1 lt 5.1.12

ge 5.0 lt 5.0.25

< 4.1.21

Stefano Di Paola reports:

An authenticated user could remotely execute arbitrary commands by taking advantage of a stack overflow.

To take advantage of these flaws an attacker should have direct access to MySQL server communication layer (port 3306 or unix socket). But if used in conjuction with some web application flaws (i.e. php code injection) an attacker could use socket programming (i.e. php sockets) to gain access to that layer.

gt 5.0 lt 5.0.21

Dmitri Lenev reports a privilege escalation in MySQL. MySQL evaluates arguments of suid routines in the security context of the routine's definer instead of the routine's caller, which allows remote and local authenticated users to gain privileges through a routine that has been made available using GRANT EXECUTE.

ge 5.1 lt 5.1.12

ge 5.0 lt 5.0.25

MySQL reports:

The requirement of the DROP privilege for RENAME TABLE was not enforced.

ge 4.1 lt 4.1.23

ge 5.0 lt 5.0.42

ge 5.1 lt 5.1.18

By submitting a carefully crafted authentication packet, it is possible for an attacker to bypass password authentication in MySQL 4.1. Using a similar method, a stack buffer used in the authentication mechanism can be overflowed.

ge 4.1 lt 4.1.3

ge 5 le 5.0.0_2

A Zataz advisory reports that MySQL contains a security flaw which could allow a malicious local user to inject arbitrary SQL commands during the initial database creation process.

The problem lies in the mysql_install_db script which creates temporary files based on the PID used by the script.

gt 4.1 lt 4.1.12

gt 5.0 lt 5.0.6

Jean-David Maillefer reports a Denial of Service vulnerability within MySQL. The vulnerability is caused by improper checking of the data_format routine, which cause the MySQL server to crash. The crash is triggered by the following code:

"SELECT date_format('%d%s', 1);

ge 5.1 lt 5.1.6

ge 5.0 lt 5.0.19

ge 4.1 lt 4.1.18