| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue May 17 11:46:59 2005 From: exploits at zataz.net (ZATAZ.net) Subject: MySQL < 4.0.12 && MySQL <= 5.0.4 : Insecure tmp file handling ######################################################### MySQL mysql_install_db data manipulation vendor: http://www.mysql.com advisory: http://www.zataz.net/adviso/mysql-05172005.txt vendor informed: yes exploit available:no ######################################################### MySQL contain a security flaw how could allow a malicious local attacker to inject arbitrary SQL commands during database creation process. For exemple : A malicious local attacker could create an mysql account accessible from local (or everywhere) with ALL privileges on all databases; ########## versions: ########## MySQL < 4.0.12 MySQL <= 5.0.4 ########## Solution: ########## For MySQL 4.0.x update to the new version 4.0.12 MySQL 5.0.4 still vulnerable. ######### timeline: ######### discovered : 2005-05-07 vendor notified : 2005-05-09 vendor response : 2005-05-09 vendor fix : 2005-05-17 disclosure : 2005-05-17 ##################### Technical details : ##################### tmp_file=/tmp/mysql_install_db.$$ Then on : 226 echo "use mysql;" > $tmp_file 227 cat $tmp_file $fill_help_tables | eval "$mysqld_install_cmd_line" 228 res=$? 229 rm $tmp_file ##################### Credits : ##################### Eric Romang (eromang@...az.net - ZATAZ) Thxs to Gentoo Security Team. (Taviso, Sune, jaervosz, etc.) -------------- next part -------------- An HTML attachment was scrubbed... URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20050517/e427bfcd/attachment.html
Powered by blists - more mailing lists