Full Disclosure mailing list archives
MySQL < 4.0.12 && MySQL <= 5.0.4 : Insecure tmp file handling
From: "ZATAZ.net" <exploits () zataz net>
Date: Tue, 17 May 2005 12:46:29 +0200
######################################################### MySQL mysql_install_db data manipulation vendor: http://www.mysql.com advisory: http://www.zataz.net/adviso/mysql-05172005.txt vendor informed: yes exploit available:no ######################################################### MySQL contain a security flaw how could allow a malicious local attacker to inject arbitrary SQL commands during database creation process. For exemple : A malicious local attacker could create an mysql accountaccessible from local (or everywhere) with ALL privileges on all databases;
########## versions: ########## MySQL < 4.0.12 MySQL <= 5.0.4 ########## Solution: ########## For MySQL 4.0.x update to the new version 4.0.12 MySQL 5.0.4 still vulnerable. ######### timeline: ######### discovered : 2005-05-07 vendor notified : 2005-05-09 vendor response : 2005-05-09 vendor fix : 2005-05-17 disclosure : 2005-05-17 ##################### Technical details : ##################### tmp_file=/tmp/mysql_install_db.$$ Then on : 226 echo "use mysql;" > $tmp_file227 cat $tmp_file $fill_help_tables | eval "$mysqld_install_cmd_line"
228 res=$? 229 rm $tmp_file ##################### Credits : ##################### Eric Romang (eromang () zataz net - ZATAZ) Thxs to Gentoo Security Team. (Taviso, Sune, jaervosz, etc.)
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- MySQL < 4.0.12 && MySQL <= 5.0.4 : Insecure tmp file handling ZATAZ.net (May 17)