[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <03fc01c59c7a$b38506b0$2100a8c0@ngssoftware.com>
Date: Tue, 9 Aug 2005 01:38:45 +0100
From: "David Litchfield" <davidl@...software.com>
To: "Team SHATTER" <shatter@...secinc.com>,
<bugtraq@...urityfocus.com>
Cc: full-disclosure@...ts.grok.org.uk, vulnwatch@...nwatch.org,
bugs@...uritytracker.com, security@...ts.seifried.org
Subject: Re: [AppSecInc Advisory MYSQL05-V0002] Buffer
Overflow in MySQL User Defined Functions
> Buffer Overflow in MySQL User Defined Functions
> Risk level: LOW
> Credits: This vulnerability was discovered and researched by Reid
> Borsuk of Application Security Inc.
How can this even be marked as low risk? If you're loading a library into
mysql's address space then you're already executing "arbitrary code". It's
important that we, as security researchers, don't desensitize the readership
with pointless "vulnerability" posts otherwise people begin to turn off.
Sure - you've found some sloppy code in mysql - get it looked at by all
means but please don't try to create a risk, whether low or not, where there
really is none.
Cheers,
David "got out of the wrong side of bed this morning" Litchfield
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists