lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <4FCC2740-8677-42A0-9921-E0004B31F261@zataz.net>
Date: Tue, 17 May 2005 12:46:29 +0200
From: "ZATAZ.net" <exploits@...az.net>
To: moderators@...db.org, bugs@...uritytracker.com,
	submissions@...ketstormsecurity.org, xforce@....net,
	full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: MySQL < 4.0.12 && MySQL <= 5.0.4 : Insecure tmp
	file handling

#########################################################
MySQL mysql_install_db data manipulation
vendor: http://www.mysql.com
advisory: http://www.zataz.net/adviso/mysql-05172005.txt
vendor informed: yes exploit available:no

#########################################################

MySQL contain a security flaw how could
allow a malicious local attacker to inject arbitrary SQL commands
during database creation process.

For exemple : A malicious local attacker could create an mysql account
accessible from local (or everywhere) with ALL privileges on all  
databases;

##########
versions:
##########

MySQL < 4.0.12
MySQL <= 5.0.4

##########
Solution:
##########

For MySQL 4.0.x update to the new version 4.0.12
MySQL 5.0.4 still vulnerable.

#########
timeline:
#########

discovered : 2005-05-07
vendor notified : 2005-05-09
vendor response : 2005-05-09
vendor fix :  2005-05-17
disclosure : 2005-05-17

#####################
Technical details :
#####################

tmp_file=/tmp/mysql_install_db.$$

Then on :

  226     echo "use mysql;" > $tmp_file
  227     cat $tmp_file $fill_help_tables | eval  
"$mysqld_install_cmd_line"
  228     res=$?
  229     rm $tmp_file

#####################
Credits :
#####################

Eric Romang (eromang@...az.net - ZATAZ)
Thxs to Gentoo Security Team. (Taviso, Sune, jaervosz, etc.)



Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ