[19752] in bugtraq
Re: potential vulnerability of mysqld running with root
daemon@ATHENA.MIT.EDU (Sergei Golubchik)
Wed Mar 21 16:37:19 2001
Mail-Followup-To: Scott Fagg <scott.fagg@ARUP.COM.AU>, BUGTRAQ@SECURITYFOCUS.COM
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Message-ID: <20010321113129.E2119@serg.mysql.com>
Date: Wed, 21 Mar 2001 11:31:29 +0100
Reply-To: Sergei Golubchik <serg@MYSQL.COM>
From: Sergei Golubchik <serg@MYSQL.COM>
X-To: Scott Fagg <scott.fagg@ARUP.COM.AU>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <sab747a7.014@arup.com.au>; from scott.fagg@ARUP.COM.AU on Tue,
Mar 20, 2001 at 12:02:58PM +1100
Hi!
On Mar 20, Scott Fagg wrote:
> Works for mysql 3.23.32 running as root.
>
> I used:
>
> mysql -u root ../../../../tmp
> create table yikes(w int(4));
>
> This created /tmp/yikes.*
>
>
> >>> "Pavlov, Lesha" <lesha@NN.RU> 19/3/01 4:32:37 am >>>
> Anybody, who get login and password to mysql can use it as DoS or r00t
> exploit because mysql accepts '../blah-blah' as valid database name and
> each table represented by 3 files tablename.ISD, tablename.ISM and
> tablename.frm, But, when mysqld checks table already exists or not
> exists, it checks _only_ tablename.frm :
Sorry for confusion - in my previous mail a told 3.23 is not vulnerable.
Yes, it IS vulnerable, the bug would be fixed asap.
Regards,
Sergei
--
MySQL Development Team
__ ___ ___ ____ __
/ |/ /_ __/ __/ __ \/ / Sergei Golubchik <serg@mysql.com>
/ /|_/ / // /\ \/ /_/ / /__ MySQL AB, http://www.mysql.com/
/_/ /_/\_, /___/\___\_\___/ Osnabrueck, Germany
<___/
