MySQL ALTER DATABASE Processing Error Lets Remote Authenticated Users Deny Service
|
SecurityTracker Alert ID: 1024160 |
SecurityTracker URL: http://securitytracker.com/id/1024160
|
CVE Reference:
CVE-2010-2008
(Links to External Site)
|
Date: Jun 30 2010
|
Impact:
Denial of service via network
|
Fix Available: Yes Vendor Confirmed: Yes Exploit Included: Yes
|
Version(s): prior to 5.1.48
|
Description:
A vulnerability was reported in MySQL. A remote authenticated user can cause denial of service conditions.
A remote authenticated user can send a specially crafted ALTER DATABASE command to cause the target server to move a data directory into a new subdirectory, causing the data directory to become unusable.
A demonstration exploit request is provided [where "<special>" is "." or ".." or is a sequence that begins with "./" or "../"]:
ALTER DATABASE `#mysql50#<special>` UPGRADE DATA DIRECTORY NAME
Shane Bester reported this vulnerability.
|
Impact:
A remote authenticated user can cause denial of service conditions on the target system.
|
Solution:
The vendor has issued a fix (5.1.48).
The vendor's advisory is available at:
http://dev.mysql.com/doc/refman/5.1/en/news-5-1-48.html
|
Vendor URL: dev.mysql.com/doc/refman/5.1/en/news-5-1-48.html (Links to External Site)
|
Cause:
Input validation error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
|
|
Message History:
None.
|
Source Message Contents
|
|
[Original Message Not Available for Viewing]
|
|