[19732] in bugtraq
Re: potential vulnerability of mysqld running with root privileges
daemon@ATHENA.MIT.EDU (Sergei Golubchik)
Tue Mar 20 20:38:05 2001
Mail-Followup-To: BUGTRAQ@SECURITYFOCUS.COM
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Message-ID: <20010320111826.A11351@serg.mysql.com>
Date: Tue, 20 Mar 2001 11:18:26 +0100
Reply-To: Sergei Golubchik <sergii@PISEM.NET>
From: Sergei Golubchik <sergii@PISEM.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <15897.010318@nn.ru>; from lesha@NN.RU on Sun, Mar 18,
2001 at 09:32:37PM +0300
Hi!
On Mar 18, Pavlov, Lesha wrote:
> Anybody, who get login and password to mysql can use it as DoS or r00t
> exploit because mysql accepts '../blah-blah' as valid database name and
> each table represented by 3 files tablename.ISD, tablename.ISM and
> tablename.frm, But, when mysqld checks table already exists or not
> exists, it checks _only_ tablename.frm :
[skip]
> Vulnerable versions:
> This DoS/exploit tested on mysql-3.20.32a but i see another versions of
> mysql also vulnerabile.
3.20 is not simply outdated - it's VERY old.
Official supported is 3.23 branch now.
3.23.1 was releases more than a year ago.
And 3.23 doesn't has that bug.
>
> Recomendations:
> * Patch mysql to treat database names, started by '..' as incorrect
> database names.
3.23 does it.
> Patches:
> not yet
Why, there are for several years !
Regards,
Sergei
--
MySQL Development Team
__ ___ ___ ____ __
/ |/ /_ __/ __/ __ \/ / Sergei Golubchik <serg@mysql.com>
/ /|_/ / // /\ \/ /_/ / /__ MySQL AB, http://www.mysql.com/
/_/ /_/\_, /___/\___\_\___/ Osnabrueck, Germany
<___/
