Vulnerabilities > CVE-2005-0711 - Remote vulnerability in MySQL AB MySQL
Attack vector
LOCAL Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
PARTIAL Availability impact
NONE Summary
MySQL 4.0.23 and earlier, and 4.1.x up to 4.1.10, uses predictable file names when creating temporary tables, which allows local users with CREATE TEMPORARY TABLE privileges to overwrite arbitrary files via a symlink attack.
Vulnerable Configurations
Exploit-Db
| description | MySQL 4.x CREATE TEMPORARY TABLE Symlink Privilege Escalation. CVE-2005-0711. Remote exploits for multiple platform |
| id | EDB-ID:25211 |
| last seen | 2016-02-03 |
| modified | 2006-01-18 |
| published | 2006-01-18 |
| reporter | Marco Ivaldi |
| source | https://www.exploit-db.com/download/25211/ |
| title | MySQL 4.x - CREATE TEMPORARY TABLE Symlink Privilege Escalation |
Nessus
NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200503-19.NASL description The remote host is affected by the vulnerability described in GLSA-200503-19 (MySQL: Multiple vulnerabilities) MySQL fails to properly validate input for authenticated users with INSERT and DELETE privileges (CAN-2005-0709 and CAN-2005-0710). Furthermore MySQL uses predictable filenames when creating temporary files with CREATE TEMPORARY TABLE (CAN-2005-0711). Impact : An attacker with INSERT and DELETE privileges could exploit this to manipulate the mysql table or accessing libc calls, potentially leading to the execution of arbitrary code with the permissions of the user running MySQL. An attacker with CREATE TEMPORARY TABLE privileges could exploit this to overwrite arbitrary files via a symlink attack. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 17344 published 2005-03-17 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/17344 title GLSA-200503-19 : MySQL: Multiple vulnerabilities code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Gentoo Linux Security Advisory GLSA 200503-19. # # The advisory text is Copyright (C) 2001-2015 Gentoo Foundation, Inc. # and licensed under the Creative Commons - Attribution / Share Alike # license. See http://creativecommons.org/licenses/by-sa/3.0/ # include("compat.inc"); if (description) { script_id(17344); script_version("1.15"); script_cvs_date("Date: 2019/08/02 13:32:42"); script_cve_id("CVE-2005-0709", "CVE-2005-0710", "CVE-2005-0711"); script_xref(name:"GLSA", value:"200503-19"); script_name(english:"GLSA-200503-19 : MySQL: Multiple vulnerabilities"); script_summary(english:"Checks for updated package(s) in /var/db/pkg"); script_set_attribute( attribute:"synopsis", value: "The remote Gentoo host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "The remote host is affected by the vulnerability described in GLSA-200503-19 (MySQL: Multiple vulnerabilities) MySQL fails to properly validate input for authenticated users with INSERT and DELETE privileges (CAN-2005-0709 and CAN-2005-0710). Furthermore MySQL uses predictable filenames when creating temporary files with CREATE TEMPORARY TABLE (CAN-2005-0711). Impact : An attacker with INSERT and DELETE privileges could exploit this to manipulate the mysql table or accessing libc calls, potentially leading to the execution of arbitrary code with the permissions of the user running MySQL. An attacker with CREATE TEMPORARY TABLE privileges could exploit this to overwrite arbitrary files via a symlink attack. Workaround : There is no known workaround at this time." ); script_set_attribute( attribute:"see_also", value:"https://security.gentoo.org/glsa/200503-19" ); script_set_attribute( attribute:"solution", value: "All MySQL users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=dev-db/mysql-4.0.24'" ); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:mysql"); script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux"); script_set_attribute(attribute:"patch_publication_date", value:"2005/03/16"); script_set_attribute(attribute:"plugin_publication_date", value:"2005/03/17"); script_set_attribute(attribute:"vuln_publication_date", value:"2005/03/11"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2005-2019 Tenable Network Security, Inc."); script_family(english:"Gentoo Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("qpkg.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo"); if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (qpkg_check(package:"dev-db/mysql", unaffected:make_list("ge 4.0.24"), vulnerable:make_list("lt 4.0.24"))) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:qpkg_report_get()); else security_warning(0); exit(0); } else { tested = qpkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "MySQL"); }NASL family MacOS X Local Security Checks NASL id MACOSX_SECUPD2005-007.NASL description The remote host is running a version of Mac OS X 10.4 or 10.3 that does not have Security Update 2005-007 applied. This security update contains fixes for the following products : - Apache 2 - AppKit - Bluetooth - CoreFoundation - CUPS - Directory Services - HItoolbox - Kerberos - loginwindow - Mail - MySQL - OpenSSL - QuartzComposerScreenSaver - ping - Safari - SecurityInterface - servermgrd - servermgr_ipfilter - SquirelMail - traceroute - WebKit - WebLog Server - X11 - zlib last seen 2020-06-01 modified 2020-06-02 plugin id 19463 published 2005-08-18 reporter This script is Copyright (C) 2005-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/19463 title Mac OS X Multiple Vulnerabilities (Security Update 2005-007) code # # (C) Tenable Network Security, Inc. # if ( ! defined_func("bn_random") ) exit(0); if (NASL_LEVEL < 3004) exit(0); include("compat.inc"); if(description) { script_id(19463); script_version ("1.15"); script_cvs_date("Date: 2018/07/14 1:59:35"); script_cve_id("CVE-2005-1344", "CVE-2004-0942", "CVE-2004-0885", "CVE-2004-1083", "CVE-2004-1084", "CVE-2005-2501", "CVE-2005-2502", "CVE-2005-2503", "CVE-2005-2504", "CVE-2005-2505", "CVE-2005-2506", "CVE-2005-2525", "CVE-2005-2526", "CVE-2005-2507", "CVE-2005-2508", "CVE-2005-2519", "CVE-2005-2513", "CVE-2004-1189", "CVE-2005-1174", "CVE-2005-1175", "CVE-2005-1689", "CVE-2005-2511", "CVE-2005-2509", "CVE-2005-2512", "CVE-2005-2745", "CVE-2005-0709", "CVE-2005-0710", "CVE-2005-0711", "CVE-2004-0079", "CVE-2004-0112", "CVE-2005-2514", "CVE-2005-2515", "CVE-2005-2516", "CVE-2005-2517", "CVE-2005-2524", "CVE-2005-2520", "CVE-2005-2518", "CVE-2005-2510", "CVE-2005-1769", "CVE-2005-2095", "CVE-2005-2521", "CVE-2005-2522", "CVE-2005-2523", "CVE-2005-0605", "CVE-2005-2096", "CVE-2005-1849"); script_bugtraq_id(14567, 14569); script_name(english:"Mac OS X Multiple Vulnerabilities (Security Update 2005-007)"); script_summary(english:"Check for Security Update 2005-007"); script_set_attribute(attribute:"synopsis", value: "The remote host is missing a Mac OS X update that fixes various security issues." ); script_set_attribute(attribute:"description", value: "The remote host is running a version of Mac OS X 10.4 or 10.3 that does not have Security Update 2005-007 applied. This security update contains fixes for the following products : - Apache 2 - AppKit - Bluetooth - CoreFoundation - CUPS - Directory Services - HItoolbox - Kerberos - loginwindow - Mail - MySQL - OpenSSL - QuartzComposerScreenSaver - ping - Safari - SecurityInterface - servermgrd - servermgr_ipfilter - SquirelMail - traceroute - WebKit - WebLog Server - X11 - zlib" ); # http://web.archive.org/web/20060406190355/http://docs.info.apple.com/article.html?artnum=302163 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?74ffa359" ); script_set_attribute(attribute:"solution", value: "!Install Security Update 2005-007." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_cwe_id(119); script_set_attribute(attribute:"plugin_publication_date", value: "2005/08/18"); script_set_attribute(attribute:"vuln_publication_date", value: "2005/08/12"); script_set_attribute(attribute:"patch_publication_date", value: "2005/08/12"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:apple:mac_os_x"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc."); script_family(english:"MacOS X Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/MacOSX/packages"); exit(0); } # packages = get_kb_item("Host/MacOSX/packages"); if ( ! packages ) exit(0); uname = get_kb_item("Host/uname"); # MacOS X 10.4.2 if ( egrep(pattern:"Darwin.* (7\.[0-9]\.|8\.2\.)", string:uname) ) { if (!egrep(pattern:"^SecUpd(Srvr)?2005-007", string:packages)) security_hole(0); }NASL family Fedora Local Security Checks NASL id FEDORA_2005-304.NASL description - Sat Apr 2 2005 Tom Lane <tgl at redhat.com> 3.23.58-16.FC3.1 - Repair uninitialized variable in security2 patch. - Enable testing on 64-bit arches; continue to exclude s390x which still has issues. - Sat Mar 19 2005 Tom Lane <tgl at redhat.com> 3.23.58-15.FC3.1 - Backpatch repair for CVE-2005-0709, CVE-2005-0710, CVE-2005-0711 (bz#151051). - Run last seen 2020-06-01 modified 2020-06-02 plugin id 19646 published 2005-09-12 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/19646 title Fedora Core 3 : mysql-3.23.58-16.FC3.1 (2005-304) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2005-304. # include("compat.inc"); if (description) { script_id(19646); script_version ("1.14"); script_cvs_date("Date: 2019/08/02 13:32:24"); script_xref(name:"FEDORA", value:"2005-304"); script_name(english:"Fedora Core 3 : mysql-3.23.58-16.FC3.1 (2005-304)"); script_summary(english:"Checks rpm output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora Core host is missing a security update." ); script_set_attribute( attribute:"description", value: " - Sat Apr 2 2005 Tom Lane <tgl at redhat.com> 3.23.58-16.FC3.1 - Repair uninitialized variable in security2 patch. - Enable testing on 64-bit arches; continue to exclude s390x which still has issues. - Sat Mar 19 2005 Tom Lane <tgl at redhat.com> 3.23.58-15.FC3.1 - Backpatch repair for CVE-2005-0709, CVE-2005-0710, CVE-2005-0711 (bz#151051). - Run 'make test' only on the archs we support for FC-3. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); # https://lists.fedoraproject.org/pipermail/announce/2005-April/000842.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?fb39b0a5" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_attribute(attribute:"risk_factor", value:"High"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:mysql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:mysql-bench"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:mysql-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:mysql-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:mysql-server"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora_core:3"); script_set_attribute(attribute:"patch_publication_date", value:"2005/04/05"); script_set_attribute(attribute:"plugin_publication_date", value:"2005/09/12"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2005-2019 Tenable Network Security, Inc."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^3([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 3.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC3", reference:"mysql-3.23.58-16.FC3.1")) flag++; if (rpm_check(release:"FC3", reference:"mysql-bench-3.23.58-16.FC3.1")) flag++; if (rpm_check(release:"FC3", reference:"mysql-debuginfo-3.23.58-16.FC3.1")) flag++; if (rpm_check(release:"FC3", reference:"mysql-devel-3.23.58-16.FC3.1")) flag++; if (rpm_check(release:"FC3", reference:"mysql-server-3.23.58-16.FC3.1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "mysql / mysql-bench / mysql-debuginfo / mysql-devel / mysql-server"); }NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2005-334.NASL description Updated mysql packages that fix several vulnerabilities are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. MySQL is a multi-user, multi-threaded SQL database server. This update fixes several security risks in the MySQL server. Stefano Di Paola discovered two bugs in the way MySQL handles user-defined functions. A user with the ability to create and execute a user defined function could potentially execute arbitrary code on the MySQL server. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2005-0709 and CVE-2005-0710 to these issues. Stefano Di Paola also discovered a bug in the way MySQL creates temporary tables. A local user could create a specially crafted symlink which could result in the MySQL server overwriting a file which it has write access to. The Common Vulnerabilities and Exposures project has assigned the name CVE-2005-0711 to this issue. All users of the MySQL server are advised to upgrade to these updated packages, which contain fixes for these issues. last seen 2020-06-01 modified 2020-06-02 plugin id 17646 published 2005-03-29 reporter This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/17646 title RHEL 2.1 / 3 / 4 : mysql (RHSA-2005:334) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2005:334. The text # itself is copyright (C) Red Hat, Inc. # include("compat.inc"); if (description) { script_id(17646); script_version ("1.25"); script_cvs_date("Date: 2019/10/25 13:36:11"); script_cve_id("CVE-2005-0709", "CVE-2005-0710", "CVE-2005-0711"); script_xref(name:"RHSA", value:"2005:334"); script_name(english:"RHEL 2.1 / 3 / 4 : mysql (RHSA-2005:334)"); script_summary(english:"Checks the rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Red Hat host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Updated mysql packages that fix several vulnerabilities are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. MySQL is a multi-user, multi-threaded SQL database server. This update fixes several security risks in the MySQL server. Stefano Di Paola discovered two bugs in the way MySQL handles user-defined functions. A user with the ability to create and execute a user defined function could potentially execute arbitrary code on the MySQL server. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2005-0709 and CVE-2005-0710 to these issues. Stefano Di Paola also discovered a bug in the way MySQL creates temporary tables. A local user could create a specially crafted symlink which could result in the MySQL server overwriting a file which it has write access to. The Common Vulnerabilities and Exposures project has assigned the name CVE-2005-0711 to this issue. All users of the MySQL server are advised to upgrade to these updated packages, which contain fixes for these issues." ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2005-0709" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2005-0710" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2005-0711" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2005:334" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:mysql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:mysql-bench"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:mysql-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:mysql-server"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:2.1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:3"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:4"); script_set_attribute(attribute:"vuln_publication_date", value:"2005/05/02"); script_set_attribute(attribute:"patch_publication_date", value:"2005/03/28"); script_set_attribute(attribute:"plugin_publication_date", value:"2005/03/29"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Red Hat Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat"); os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat"); os_ver = os_ver[1]; if (! preg(pattern:"^(2\.1|3|4)([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 2.1 / 3.x / 4.x", "Red Hat " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu); yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo"); if (!empty_or_null(yum_updateinfo)) { rhsa = "RHSA-2005:334"; yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa); if (!empty_or_null(yum_report)) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : yum_report ); exit(0); } else { audit_message = "affected by Red Hat security advisory " + rhsa; audit(AUDIT_OS_NOT, audit_message); } } else { flag = 0; if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"mysql-3.23.58-1.72.2")) flag++; if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"mysql-devel-3.23.58-1.72.2")) flag++; if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"mysql-server-3.23.58-1.72.2")) flag++; if (rpm_check(release:"RHEL3", reference:"mysql-3.23.58-15.RHEL3.1")) flag++; if (rpm_check(release:"RHEL3", reference:"mysql-bench-3.23.58-15.RHEL3.1")) flag++; if (rpm_check(release:"RHEL3", reference:"mysql-devel-3.23.58-15.RHEL3.1")) flag++; if (rpm_check(release:"RHEL4", reference:"mysql-4.1.10a-1.RHEL4.1")) flag++; if (rpm_check(release:"RHEL4", reference:"mysql-bench-4.1.10a-1.RHEL4.1")) flag++; if (rpm_check(release:"RHEL4", reference:"mysql-devel-4.1.10a-1.RHEL4.1")) flag++; if (rpm_check(release:"RHEL4", reference:"mysql-server-4.1.10a-1.RHEL4.1")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : rpm_report_get() + redhat_report_package_caveat() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "mysql / mysql-bench / mysql-devel / mysql-server"); } }NASL family Databases NASL id MYSQL_MULTIPLE_FLAWS4.NASL description The remote host is running a version of MySQL which older than version 4.0.24 or 4.1.10a. Such versions are potentially affected by multiple issues. - MySQL uses predictable file names when creating temporary tables, which allows local users with last seen 2020-06-01 modified 2020-06-02 plugin id 17313 published 2005-03-11 reporter This script is Copyright (C) 2005-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/17313 title MySQL < 4.0.24 / 4.1.10a Multiple Vulnerabilities NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_619EF337949A11D9B81300D05964249F.NASL description SecurityFocus reports : MySQL is reported prone to an insecure temporary file creation vulnerability. Reports indicate that an attacker that has last seen 2020-06-01 modified 2020-06-02 plugin id 18956 published 2005-07-13 reporter This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/18956 title FreeBSD : mysql-server -- multiple remote vulnerabilities (619ef337-949a-11d9-b813-00d05964249f) NASL family Solaris Local Security Checks NASL id SOLARIS10_X86_120293.NASL description SunOS 5.10_x86 : mysql patch. Date this patch was last updated by Sun : Jun/27/08 This plugin has been deprecated and either replaced with individual 120293 patch-revision plugins, or deemed non-security related. last seen 2019-02-21 modified 2018-07-30 plugin id 19452 published 2005-08-18 reporter Tenable source https://www.tenable.com/plugins/index.php?view=single&id=19452 title Solaris 10 (x86) : 120293-02 (deprecated) NASL family Solaris Local Security Checks NASL id SOLARIS10_120292-02.NASL description SunOS 5.10 : mysql patch. Date this patch was last updated by Sun : Jun/27/08 last seen 2020-06-01 modified 2020-06-02 plugin id 107361 published 2018-03-12 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/107361 title Solaris 10 (sparc) : 120292-02 NASL family Debian Local Security Checks NASL id DEBIAN_DSA-707.NASL description Several vulnerabilities have been discovered in MySQL, a popular database. The Common Vulnerabilities and Exposures project identifies the following problems : - CAN-2004-0957 Sergei Golubchik discovered a problem in the access handling for similar named databases. If a user is granted privileges to a database with a name containing an underscore ( last seen 2020-06-01 modified 2020-06-02 plugin id 18042 published 2005-04-14 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/18042 title Debian DSA-707-1 : mysql - several vulnerabilities NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2005-348.NASL description Updated mysql-server packages that fix several vulnerabilities are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. MySQL is a multi-user, multi-threaded SQL database server. This update fixes several security risks in the MySQL server. Stefano Di Paola discovered two bugs in the way MySQL handles user-defined functions. A user with the ability to create and execute a user defined function could potentially execute arbitrary code on the MySQL server. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2005-0709 and CVE-2005-0710 to these issues. Stefano Di Paola also discovered a bug in the way MySQL creates temporary tables. A local user could create a specially crafted symlink which could result in the MySQL server overwriting a file which it has write access to. The Common Vulnerabilities and Exposures project has assigned the name CVE-2005-0711 to this issue. All users of the MySQL server are advised to upgrade to these updated packages, which contain fixes for these issues. last seen 2020-06-01 modified 2020-06-02 plugin id 21926 published 2006-07-05 reporter This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/21926 title CentOS 3 : mysql-server (CESA-2005:348) NASL family Solaris Local Security Checks NASL id SOLARIS10_X86_120293-02.NASL description SunOS 5.10_x86 : mysql patch. Date this patch was last updated by Sun : Jun/27/08 last seen 2020-06-01 modified 2020-06-02 plugin id 107863 published 2018-03-12 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/107863 title Solaris 10 (x86) : 120293-02 NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2005-348.NASL description Updated mysql-server packages that fix several vulnerabilities are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. MySQL is a multi-user, multi-threaded SQL database server. This update fixes several security risks in the MySQL server. Stefano Di Paola discovered two bugs in the way MySQL handles user-defined functions. A user with the ability to create and execute a user defined function could potentially execute arbitrary code on the MySQL server. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2005-0709 and CVE-2005-0710 to these issues. Stefano Di Paola also discovered a bug in the way MySQL creates temporary tables. A local user could create a specially crafted symlink which could result in the MySQL server overwriting a file which it has write access to. The Common Vulnerabilities and Exposures project has assigned the name CVE-2005-0711 to this issue. All users of the MySQL server are advised to upgrade to these updated packages, which contain fixes for these issues. last seen 2020-06-01 modified 2020-06-02 plugin id 17981 published 2005-04-06 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/17981 title RHEL 3 : mysql-server (RHSA-2005:348) NASL family SuSE Local Security Checks NASL id SUSE_SA_2005_019.NASL description The remote host is missing the patch for the advisory SUSE-SA:2005:019 (mysql). MySQL is an Open Source database server, commonly used together with web services provided by PHP scripts or similar. This security update fixes a broken mysqlhotcopy script as well as several security related bugs: - CVE-2005-0709: MySQL allowed remote authenticated users with INSERT and DELETE privileges to execute arbitrary code by using CREATE FUNCTION to access libc calls, as demonstrated by using strcat, on_exit, and exit. - CVE-2005-0710: MySQL allowed remote authenticated users with INSERT and DELETE privileges to bypass library path restrictions and execute arbitrary libraries by using INSERT INTO to modify the mysql.func table, which is processed by the udf_init function. - CVE-2005-0711: MySQL used predictable file names when creating temporary tables, which allows local users with CREATE TEMPORARY TABLE privileges to overwrite arbitrary files via a symlink attack. The first two vulnerabilities can be exploited by an attacker using SQL inject attack vectors into a flawed PHP application for instance. last seen 2020-06-01 modified 2020-06-02 plugin id 17618 published 2005-03-25 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/17618 title SUSE-SA:2005:019: mysql NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2005-060.NASL description A number of vulnerabilities were discovered by Stefano Di Paola in the MySQL server : If an authenticated user had INSERT privileges on the last seen 2020-06-01 modified 2020-06-02 plugin id 17601 published 2005-03-23 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/17601 title Mandrake Linux Security Advisory : MySQL (MDKSA-2005:060) NASL family Solaris Local Security Checks NASL id SOLARIS10_120292.NASL description SunOS 5.10 : mysql patch. Date this patch was last updated by Sun : Jun/27/08 This plugin has been deprecated and either replaced with individual 120292 patch-revision plugins, or deemed non-security related. last seen 2019-02-21 modified 2018-07-30 plugin id 19447 published 2005-08-18 reporter Tenable source https://www.tenable.com/plugins/index.php?view=single&id=19447 title Solaris 10 (sparc) : 120292-02 (deprecated) NASL family Fedora Local Security Checks NASL id FEDORA_2005-305.NASL description - Sat Apr 2 2005 Tom Lane <tgl at redhat.com> 3.23.58-16.FC2.1 - Repair uninitialized variable in security2 patch. - Enable testing on 64-bit arches; continue to exclude s390x which still has issues. - Fri Mar 18 2005 Tom Lane <tgl at redhat.com> 3.23.58-15.FC2.1 - Backpatch repair for CVE-2005-0709, CVE-2005-0710, CVE-2005-0711 (bz#151051). - Fix init script to not need a valid username for startup check (bz#142328) - Don last seen 2020-06-01 modified 2020-06-02 plugin id 18333 published 2005-05-19 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/18333 title Fedora Core 2 : mysql-3.23.58-16.FC2.1 (2005-305) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-96-1.NASL description Stefano Di Paola discovered three privilege escalation flaws in the MySQL server : - If an authenticated user had INSERT privileges on the last seen 2020-06-01 modified 2020-06-02 plugin id 20722 published 2006-01-15 reporter Ubuntu Security Notice (C) 2005-2019 Canonical, Inc. / NASL script (C) 2006-2016 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/20722 title Ubuntu 4.10 : mysql-dfsg vulnerabilities (USN-96-1)
Oval
| accepted | 2013-04-29T04:20:29.679-04:00 | ||||||||||||||||||||
| class | vulnerability | ||||||||||||||||||||
| contributors |
| ||||||||||||||||||||
| definition_extensions |
| ||||||||||||||||||||
| description | MySQL 4.0.23 and earlier, and 4.1.x up to 4.1.10, uses predictable file names when creating temporary tables, which allows local users with CREATE TEMPORARY TABLE privileges to overwrite arbitrary files via a symlink attack. | ||||||||||||||||||||
| family | unix | ||||||||||||||||||||
| id | oval:org.mitre.oval:def:9591 | ||||||||||||||||||||
| status | accepted | ||||||||||||||||||||
| submitted | 2010-07-09T03:56:16-04:00 | ||||||||||||||||||||
| title | MySQL 4.0.23 and earlier, and 4.1.x up to 4.1.10, uses predictable file names when creating temporary tables, which allows local users with CREATE TEMPORARY TABLE privileges to overwrite arbitrary files via a symlink attack. | ||||||||||||||||||||
| version | 26 |
Redhat
| advisories |
| ||||||||
| rpms |
|
References
- http://archives.neohapsis.com/archives/vulnwatch/2005-q1/0082.html
- http://lists.apple.com/archives/security-announce/2005//Aug/msg00001.html
- http://lists.apple.com/archives/security-announce/2005/Aug/msg00000.html
- http://sunsolve.sun.com/search/document.do?assetkey=1-26-101864-1
- http://www.debian.org/security/2005/dsa-707
- http://www.gentoo.org/security/en/glsa/glsa-200503-19.xml
- http://www.mandriva.com/security/advisories?name=MDKSA-2005:060
- http://www.novell.com/linux/security/advisories/2005_19_mysql.html
- http://www.redhat.com/support/errata/RHSA-2005-334.html
- http://www.redhat.com/support/errata/RHSA-2005-348.html
- http://www.securityfocus.com/bid/12781
- http://www.trustix.org/errata/2005/0009/
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9591
- https://usn.ubuntu.com/96-1/