Information Security News mailing list archives

Previous By Date Next
Previous By Thread Next

MySQL vulnerability allows attackers to bypass password verification

From: InfoSec News <alerts () infosecnews org>
Date: Tue, 12 Jun 2012 03:35:09 -0500 (CDT)
https://www.computerworld.com/s/article/9227965/MySQL_vulnerability_allows_attackers_to_bypass_password_verification

By Lucian Constantin
IDG News Service
June 11, 2012
Security researchers have released details about a vulnerability in the MySQL server that could allow potential attackers to access MySQL databases without inputting proper authentication credentials.
The vulnerability is identified as CVE-2012-2122 and was addressed in MySQL 5.1.63 and 5.5.25 in May. However, many server administrators might not be aware of its impact, because the changelog for those versions contained very little information about the security bug.
The vulnerability can only be exploited if MySQL was built on a system where the memcmp() function can return values outside the -128 to 127 range. This is the case for Linux systems that use an SSE-optimized glibc (GNU C library).
If MySQL was built on such a system, the code that compares the cryptographic hash of a user-inputted password to the hash stored in the database for a particular account will sometimes allow authentication even if the supplied password is incorrect. 

[...]


--
Certified Ethical Hacker, ISSMP, ISSAP, CISSP training
with Expanding Security gives the best training and support.
Get a free live class invite weekly. Best programs, best prices.
http://www.ExpandingSecurity.com/PainPill
Previous By Date Next
Previous By Thread Next

Current thread: