Re: MySQL Database Allows Authorized Users to Modify Server Files to Deny Service or Obtain Additional Access - SecurityTracker

	Keep Track of the Latest Vulnerabilities with SecurityTracker!

Home | View Topics | Search | Contact Us |

SecurityTracker
Archives

Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary

Instant Alerts

Buy our Premium Vulnerability Notification Service to receive customized, instant alerts

Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!

Become a Partner and License Our Database or Notification Service

Report a Bug

Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com

Category: Application (Database) > MySQL

Vendors: MySQL.com

Re: MySQL Database Allows Authorized Users to Modify Server Files to Deny Service or Obtain Additional Access

SecurityTracker Alert ID: 1001132

SecurityTracker URL: http://securitytracker.com/id/1001132

CVE Reference: GENERIC-MAP-NOMATCH (Links to External Site)

Date: Mar 21 2001

Impact: Denial of service via local system, Modification of user information, User access via local system

Version(s): mysql-3.20.32a

Description: It is reported that any local MySQL user can exploit MySQL to write files on the server with the privileges assigned to the MySQL server (which may be root-level privileges in some cases). This can be used to gain additional access on the server.

One of the vendors writes to explain that the vulnerable version (3.20) is a very old version of MySQL and that the supported version is 3.23.x. The vendor also notes that 3.23.1 (which was released more than a year ago) and the rest of the 3.23 branch does not contain this vulnerability.

Impact: An authorized local user can use MySQL to write files to the server in a denial of service attempt or in an attempt to obtain additional privileges. If the MySQL daemon is run as root, then the user can obtain root-level privileges.

Solution: The vendor notes that this vulnerability was corrected over a year ago. Version 3.23.x does not contain this bug.

Vendor URL: mysql.com (Links to External Site)

Cause: Input validation error, State error

Underlying OS: Linux (Any), UNIX (FreeBSD), UNIX (Solaris - SunOS), Windows (NT), Windows (95), Windows (98), Windows (2000)

Message History: This archive entry is a follow-up to the message listed below.

MySQL Database Allows Authorized Users to Modify Server Files to Deny Service or Obtain Additional Access

Source Message Contents

Date: Tue, 20 Mar 2001 11:18:26 +0100
Subject: Re: potential vulnerability of mysqld running with root privileges


Hi!

On Mar 18, Pavlov, Lesha wrote:
> Anybody, who get login and password to mysql can use it as DoS or r00t
> exploit because mysql accepts '../blah-blah' as valid database name and
> each table represented by 3 files tablename.ISD, tablename.ISM and
> tablename.frm, But, when mysqld checks table already exists or not
> exists, it checks _only_ tablename.frm :

[skip]

> Vulnerable versions:
> This DoS/exploit tested on mysql-3.20.32a but i see another versions of
> mysql also vulnerabile.

3.20 is not simply outdated - it's VERY old.
Official supported is 3.23 branch now.
3.23.1 was releases more than a year ago.

And 3.23 doesn't has that bug.

>
> Recomendations:
> * Patch mysql to treat database names, started by '..' as incorrect
> database names.

3.23 does it.

> Patches:
>  not yet

Why, there are for several years !

Regards,
Sergei

--
MySQL Development Team
   __  ___     ___ ____  __
  /  |/  /_ __/ __/ __ \/ /   Sergei Golubchik <serg@mysql.com>
 / /|_/ / // /\ \/ /_/ / /__  MySQL AB, http://www.mysql.com/
/_/  /_/\_, /___/\___\_\___/  Osnabrueck, Germany
       <___/

Go to the Top of This SecurityTracker Archive Page

Home | View Topics | Search | Contact Us
Copyright 2013, SecurityGlobal.net LLC