[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-disclosure] MySQL < 4.0.12 && MySQL <= 5.0.4 : Insecure tmp file handling
- To: moderators@xxxxxxxxx, bugs@xxxxxxxxxxxxxxxxxxx, submissions@xxxxxxxxxxxxxxxxxxxxxxx, xforce@xxxxxxx, full-disclosure@xxxxxxxxxxxxxxxxx, bugtraq@xxxxxxxxxxxxxxxxx
- Subject: [Full-disclosure] MySQL < 4.0.12 && MySQL <= 5.0.4 : Insecure tmp file handling
- From: "ZATAZ.net" <exploits@xxxxxxxxx>
- Date: Tue, 17 May 2005 12:46:29 +0200
#########################################################
MySQL mysql_install_db data manipulation
vendor: http://www.mysql.com
advisory: http://www.zataz.net/adviso/mysql-05172005.txt
vendor informed: yes exploit available:no
#########################################################
MySQL contain a security flaw how could
allow a malicious local attacker to inject arbitrary SQL commands
during database creation process.
For exemple : A malicious local attacker could create an mysql account
accessible from local (or everywhere) with ALL privileges on all
databases;
##########
versions:
##########
MySQL < 4.0.12
MySQL <= 5.0.4
##########
Solution:
##########
For MySQL 4.0.x update to the new version 4.0.12
MySQL 5.0.4 still vulnerable.
#########
timeline:
#########
discovered : 2005-05-07
vendor notified : 2005-05-09
vendor response : 2005-05-09
vendor fix : 2005-05-17
disclosure : 2005-05-17
#####################
Technical details :
#####################
tmp_file=/tmp/mysql_install_db.$$
Then on :
226 echo "use mysql;" > $tmp_file
227 cat $tmp_file $fill_help_tables | eval
"$mysqld_install_cmd_line"
228 res=$?
229 rm $tmp_file
#####################
Credits :
#####################
Eric Romang (eromang@xxxxxxxxx - ZATAZ)
Thxs to Gentoo Security Team. (Taviso, Sune, jaervosz, etc.)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/