MySQL MyISAM Options Let Local Users Overwrite Table Files
|
|
SecurityTracker Alert ID: 1019995
|
|
SecurityTracker URL: http://securitytracker.com/id?1019995
|
|
CVE Reference: CVE-2008-2079
(Links to External Site)
|
Date: May 8 2008
|
Impact: Modification of user information
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Version(s): 4.1.x prior to 4.1.24, 5.0.x prior to 5.0.60, 5.1.x prior to 5.1.24, 6.0.x prior to 6.0.5
|
Description: A vulnerability was reported in MySQL. A local user can bypass security restrictions.
A local user can create MyISAM tables using the DATA DIRECTORY and INDEX DIRECTORY options to overwrite existing table files in the MySQL data directory.
Sergei Golubchik reported this vulnerability.
|
Impact: A local user can overwrite table files.
|
Solution: The vendor has issued fixed versions (4.1.24, 5.0.60, 5.1.24, 6.0.5).
The vendor's advisories are available at:
http://dev.mysql.com/doc/refman/4.1/en/news-4-1-24.ht
ml
http://dev.mysql.com/doc/refman/5.0/en/releasenotes-es-5-0-60.html
http://dev.mysql.com/doc/refman/5.1/en/news-5-1-24.html
http://dev.mysql.com/doc/refman/6.0/en/ne
ws-6-0-5.html
|
Cause: Access control error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Thu, 8 May 2008 08:36:53 -0400
Subject: MySQL
|
> Important Change: Security Fix: It was possible to circumvent privileges through the
> creation of MyISAM tables employing the DATA DIRECTORY and INDEX DIRECTORY options
> to overwrite existing table files in the MySQL data directory. Use of the MySQL data
> directory in DATA DIRECTORY and INDEX DIRECTORY is now disallowed. (Bug#32167)
CVE-2008-2079
|
|
