Bugtraq mailing list archives

RE: MySQL command-line client HTML injection vulnerability

From: "Quark IT - Hilton Travis" <Hilton () QuarkIT com au>
Date: Wed, 1 Oct 2008 08:59:58 +1000

Hi Thomas,

This bug was fixed in a MySQL release dated 01 May 2008.  It is now 01
Oct 2008 - 5 months after the bug was released.  So why exactly is this
news?  Did I miss something here?

--

http://blog.hiltontravis.com/

Regards,

Hilton Travis                       Phone: +61 (0)7 3105 9101
(Brisbane, Australia)               Phone: +61 (0)419 792 394
Manager, Quark IT                   http://www.quarkit.com.au
         Quark Group                http://www.quarkgroup.com.au

     Microsoft SBSC PAL (Australia) http://www.sbscpal.com/

War doesn't determine who is right.  War determines who is left.

This document and any attachments are for the intended recipient 
  only.  It may contain confidential, privileged or copyright 
     material which must not be disclosed or distributed.

                    Quark Group Pty. Ltd.
      T/A Quark Automation, Quark AudioVisual, Quark IT

-----Original Message-----
From: Thomas Henlich [mailto:thomas () henlich de]
Sent: Tuesday, 30 September 2008 6:30 PM
To: bugtraq () securityfocus com
Subject: MySQL command-line client HTML injection vulnerability

MYSQL COMMAND-LINE CLIENT HTML INJECTION VULNERABILITY

Thomas Henlich <thomas () henlich de>

DESCRIPTION

The mysql command-line client does not quote HTML special characters
like < in its output. This allows an attacker who is able to write

data

into a table to hide or modify records in the output, and to inject
potentially dangerous code, e. g. Javascript to perform cross-site
scripting or cross-site request forgery attacks.

HOW TO REPRODUCE

$ mysql --html --execute "select '<a>'" ...
<TABLE BORDER=1><TR><TH><a></TH></TR><TR><TD><a></TD></TR></TABLE>

AFFECTED VERSIONS

All.

RESOLUTION

Users are advised to install the available patch from
http://bugs.mysql.com/bug.php?id=27884.

WORKAROUND

If another resolution is not feasible, users are advised to modify
their
 SELECT statements to filter out the characters < and &:

SELECT REPLACE(REPLACE(...,'&','&amp;'),'<','&lt;') AS ...;

This workaround is incompatible with the described resolution and
should
be reversed after installation of the patch.

TIMELINE

2007-04-17 Opened bug on mysql.com
2008-05-01 Patch available

RESOURCES

The bug is filed on http://bugs.mysql.com/bug.php?id=27884.

This advisory is available from
http://www.henlich.de/it-security/mysql-command-line-client-html-
injection-vulnerability.

Current thread:

RE: MySQL command-line client HTML injection vulnerability Quark IT - Hilton Travis (Oct 01)
- Re: MySQL command-line client HTML injection vulnerability Michael Scheidell (Oct 08)
- <Possible follow-ups>
- Re: RE: MySQL command-line client HTML injection vulnerability mrry . dmlo (Oct 03)
  - RE: RE: MySQL command-line client HTML injection vulnerability Quark IT - Hilton Travis (Oct 06)
- Re: MySQL command-line client HTML injection vulnerability okuno (Oct 29)