Vulnerabilities > CVE-2006-1516 - Remote Information Disclosure and Buffer Overflow vulnerability in MySQL

047910
CVSS 5.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
NONE
Availability impact
NONE
network
low complexity
mysql
oracle
nessus
exploit available

Summary

The check_connection function in sql_parse.cc in MySQL 4.0.x up to 4.0.26, 4.1.x up to 4.1.18, and 5.0.x up to 5.0.20 allows remote attackers to read portions of memory via a username without a trailing null byte, which causes a buffer over-read.

Exploit-Db

descriptionMySQL (<= 4.1.18, 5.0.20) Local/Remote Information Leakage Exploit. CVE-2006-1516. Remote exploit for linux platform
idEDB-ID:1742
last seen2016-01-31
modified2006-05-02
published2006-05-02
reporterStefano Di Paola
sourcehttps://www.exploit-db.com/download/1742/
titleMySQL <= 4.1.18 / 5.0.20 - Local/Remote Information Leakage Exploit

Nessus

  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2006-0544.NASL
    descriptionUpdated mysql packages that fix multiple security flaws are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. MySQL is a multi-user, multi-threaded SQL database server. MySQL is a client/server implementation consisting of a server daemon (mysqld) and many different client programs and libraries. A flaw was found in the way the MySQL mysql_real_escape() function escaped strings when operating in a multibyte character encoding. An attacker could provide an application a carefully crafted string containing invalidly-encoded characters which may be improperly escaped, leading to the injection of malicious SQL commands. (CVE-2006-2753) An information disclosure flaw was found in the way the MySQL server processed malformed usernames. An attacker could view a small portion of server memory by supplying an anonymous login username which was not null terminated. (CVE-2006-1516) An information disclosure flaw was found in the way the MySQL server executed the COM_TABLE_DUMP command. An authenticated malicious user could send a specially crafted packet to the MySQL server which returned random unallocated memory. (CVE-2006-1517) A log file obfuscation flaw was found in the way the mysql_real_query() function creates log file entries. An attacker with the the ability to call the mysql_real_query() function against a mysql server can obfuscate the entry the server will write to the log file. However, an attacker needed to have complete control over a server in order to attempt this attack. (CVE-2006-0903) This update also fixes numerous non-security-related flaws, such as intermittent authentication failures. All users of mysql are advised to upgrade to these updated packages containing MySQL version 4.1.20, which is not vulnerable to these issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id21683
    published2006-06-11
    reporterThis script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/21683
    titleRHEL 4 : mysql (RHSA-2006:0544)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2006:0544. The text 
    # itself is copyright (C) Red Hat, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(21683);
      script_version ("1.24");
      script_cvs_date("Date: 2019/10/25 13:36:12");
    
      script_cve_id("CVE-2006-0903", "CVE-2006-1516", "CVE-2006-1517", "CVE-2006-2753", "CVE-2006-3081", "CVE-2006-4380");
      script_bugtraq_id(17780);
      script_xref(name:"RHSA", value:"2006:0544");
    
      script_name(english:"RHEL 4 : mysql (RHSA-2006:0544)");
      script_summary(english:"Checks the rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Red Hat host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Updated mysql packages that fix multiple security flaws are now
    available.
    
    This update has been rated as having important security impact by the
    Red Hat Security Response Team.
    
    MySQL is a multi-user, multi-threaded SQL database server. MySQL is a
    client/server implementation consisting of a server daemon (mysqld)
    and many different client programs and libraries.
    
    A flaw was found in the way the MySQL mysql_real_escape() function
    escaped strings when operating in a multibyte character encoding. An
    attacker could provide an application a carefully crafted string
    containing invalidly-encoded characters which may be improperly
    escaped, leading to the injection of malicious SQL commands.
    (CVE-2006-2753)
    
    An information disclosure flaw was found in the way the MySQL server
    processed malformed usernames. An attacker could view a small portion
    of server memory by supplying an anonymous login username which was
    not null terminated. (CVE-2006-1516)
    
    An information disclosure flaw was found in the way the MySQL server
    executed the COM_TABLE_DUMP command. An authenticated malicious user
    could send a specially crafted packet to the MySQL server which
    returned random unallocated memory. (CVE-2006-1517)
    
    A log file obfuscation flaw was found in the way the
    mysql_real_query() function creates log file entries. An attacker with
    the the ability to call the mysql_real_query() function against a
    mysql server can obfuscate the entry the server will write to the log
    file. However, an attacker needed to have complete control over a
    server in order to attempt this attack. (CVE-2006-0903)
    
    This update also fixes numerous non-security-related flaws, such as
    intermittent authentication failures.
    
    All users of mysql are advised to upgrade to these updated packages
    containing MySQL version 4.1.20, which is not vulnerable to these
    issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2006-0903"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2006-1516"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2006-1517"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2006-2753"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2006-3081"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2006-4380"
      );
      # http://lists.mysql.com/announce/364
      script_set_attribute(
        attribute:"see_also",
        value:"https://lists.mysql.com/announce/364"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/errata/RHSA-2006:0544"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:mysql");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:mysql-bench");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:mysql-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:mysql-server");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:4");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2006/02/27");
      script_set_attribute(attribute:"patch_publication_date", value:"2006/06/08");
      script_set_attribute(attribute:"plugin_publication_date", value:"2006/06/11");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Red Hat Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat");
    os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat");
    os_ver = os_ver[1];
    if (! preg(pattern:"^4([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 4.x", "Red Hat " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu);
    
    yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo");
    if (!empty_or_null(yum_updateinfo)) 
    {
      rhsa = "RHSA-2006:0544";
      yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);
      if (!empty_or_null(yum_report))
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : yum_report 
        );
        exit(0);
      }
      else
      {
        audit_message = "affected by Red Hat security advisory " + rhsa;
        audit(AUDIT_OS_NOT, audit_message);
      }
    }
    else
    {
      flag = 0;
      if (rpm_check(release:"RHEL4", reference:"mysql-4.1.20-1.RHEL4.1")) flag++;
      if (rpm_check(release:"RHEL4", reference:"mysql-bench-4.1.20-1.RHEL4.1")) flag++;
      if (rpm_check(release:"RHEL4", reference:"mysql-devel-4.1.20-1.RHEL4.1")) flag++;
      if (rpm_check(release:"RHEL4", reference:"mysql-server-4.1.20-1.RHEL4.1")) flag++;
    
      if (flag)
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : rpm_report_get() + redhat_report_package_caveat()
        );
        exit(0);
      }
      else
      {
        tested = pkg_tests_get();
        if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
        else audit(AUDIT_PACKAGE_NOT_INSTALLED, "mysql / mysql-bench / mysql-devel / mysql-server");
      }
    }
    
  • NASL familyDatabases
    NASL idMYSQL_5_0_21.NASL
    descriptionThe version of MySQL installed on the remote host is earlier than 4.0.27 / 4.1.19 / 5.0.21. As such, it is potentially affected by the following vulnerabilities : - A remote attacker may be able to read portions of memory by sending a specially crafted login packet in which the username does not have a trailing NULL. (CVE-2006-1516) - A remote attacker may be able to read portions of memory by sending a specially crafted COM_TABLE_DUMP request with an incorrect packet length. (CVE-2006-1517) - A buffer overflow in the
    last seen2020-06-01
    modified2020-06-02
    plugin id17697
    published2011-11-18
    reporterThis script is Copyright (C) 2011-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/17697
    titleMySQL < 4.0.27 / 4.1.19 / 5.0.21 Multiple Vulnerabilities
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(17697);
      script_version("1.8");
      script_cvs_date("Date: 2018/11/15 20:50:21");
    
      script_cve_id("CVE-2006-1516", "CVE-2006-1517", "CVE-2006-1518");
      script_bugtraq_id(17780);
      script_xref(name:"CERT", value:"602457");
    
      script_name(english:"MySQL < 4.0.27 / 4.1.19 / 5.0.21 Multiple Vulnerabilities");
      script_summary(english:"Checks version of MySQL Server");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote database server is affected by multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "The version of MySQL installed on the remote host is earlier than
    4.0.27 / 4.1.19 / 5.0.21.  As such, it is potentially affected by the
    following vulnerabilities :
    
      - A remote attacker may be able to read portions of memory
        by sending a specially crafted login packet in which the
        username does not have a trailing NULL. (CVE-2006-1516)
    
      - A remote attacker may be able to read portions of memory
        by sending a specially crafted COM_TABLE_DUMP request 
        with an incorrect packet length. (CVE-2006-1517)
    
      - A buffer overflow in the 'open_table()' function could 
        allow a remote, authenticated attacker to execute 
        arbitrary code via specially crafted COM_TABLE_DUMP 
        packets. (CVE-2006-1518)");
      script_set_attribute(attribute:"see_also", value:"http://dev.mysql.com/doc/refman/4.1/en/news-4-0-27.html");
      script_set_attribute(attribute:"see_also", value:"http://dev.mysql.com/doc/refman/4.1/en/news-4-1-19.html");
      script_set_attribute(attribute:"see_also", value:"http://dev.mysql.com/doc/refman/5.0/en/news-5-0-21.html");
      script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/archive/1/432734/100/0/threaded");
      script_set_attribute(attribute:"solution", value:
    "Upgrade to MySQL version 4.0.27 / 4.1.19 / 5.0.21 or later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2006/05/02");
      script_set_attribute(attribute:"plugin_publication_date", value:"2011/11/18");
    
      script_set_attribute(attribute:"plugin_type", value:"remote");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:mysql:mysql");
      script_end_attributes();
     
      script_category(ACT_GATHER_INFO);
      script_family(english:"Databases");
    
      script_copyright(english:"This script is Copyright (C) 2011-2018 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("mysql_version.nasl", "mysql_login.nasl");
      script_require_ports("Services/mysql", 3306);
      script_require_keys("Settings/ParanoidReport");
    
      exit(0);
    }
    
    include("global_settings.inc");
    include("misc_func.inc");
    include("mysql_func.inc");
    
    
    # nb: banner checks of open source software are prone to false-
    #     positives so only run the check if reporting is paranoid.
    if (report_paranoia < 2)
      exit(1, "This plugin only runs if 'Report paranoia' is set to 'Paranoid'.");
    
    port = get_service(svc:"mysql", default:3306, exit_on_fail:TRUE);
    
    if (!mysql_init(port:port, exit_on_fail:TRUE) == 1) 
      exit(1, "Can't establish a connection to the MySQL server listening on port "+port+".");
    
    version = mysql_get_version();
    mysql_close();
    if (!strlen(version)) exit(1, "Can't get the version of the MySQL server listening on port "+port+".");
    
    if (
      version =~ "^4\.0\.([01]?[0-9]|2[0-6])($|[^0-9])" ||
      version =~ "^4\.1\.(0?[0-9]|1[0-8])($|[^0-9])" ||
      version =~ "^5\.0\.([01]?[0-9]|20)($|[^0-9])"
    )
    {
      if (report_verbosity > 0)
      {
        report = '\n  Installed version : ' + version +
                 '\n  Fixed version     : 4.0.27 / 4.1.19 / 5.0.21' +
                 '\n';
        datadir = get_kb_item('mysql/' + port + '/datadir');
        if (!empty_or_null(datadir))
        {
          report += '  Data Dir          : ' + datadir + '\n';
        }
        databases = get_kb_item('mysql/' + port + '/databases');
        if (!empty_or_null(databases))
        { 
          report += '  Databases         :\n' + databases;
        }
        security_warning(port:port, extra:report);
      }
      else security_warning(port);
      exit(0);
    }
    else exit(0, "The MySQL "+version+" server listening on port "+port+" is not affected.");
    
  • NASL familyDatabases
    NASL idMYSQL_ANONYMOUS_LOGIN_HANDSHAKE_INFO_LEAKAGE.NASL
    descriptionThe MySQL database server on the remote host reads from uninitialized memory when processing a specially crafted login packet. An unauthenticated attacker may be able to exploit this flaw to obtain sensitive information from the affected host as returned in an error packet.
    last seen2020-06-01
    modified2020-06-02
    plugin id21632
    published2006-06-04
    reporterThis script is Copyright (C) 2006-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/21632
    titleMySQL Anonymous Login Handshake Remote Information Disclosure
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-283-1.NASL
    descriptionStefano Di Paola discovered an information leak in the login packet parser. By sending a specially crafted malformed login packet, a remote attacker could exploit this to read a random piece of memory, which could potentially reveal sensitive data. (CVE-2006-1516) Stefano Di Paola also found a similar information leak in the parser for the COM_TABLE_DUMP request. (CVE-2006-1517). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id21377
    published2006-05-13
    reporterUbuntu Security Notice (C) 2006-2019 Canonical, Inc. / NASL script (C) 2006-2016 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/21377
    titleUbuntu 5.04 / 5.10 : mysql-dfsg-4.1, mysql-dfsg vulnerabilities (USN-283-1)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-1073.NASL
    descriptionSeveral vulnerabilities have been discovered in MySQL, a popular SQL database. The Common Vulnerabilities and Exposures Project identifies the following problems : - CVE-2006-0903 Improper handling of SQL queries containing the NULL character allows local users to bypass logging mechanisms. - CVE-2006-1516 Usernames without a trailing null byte allow remote attackers to read portions of memory. - CVE-2006-1517 A request with an incorrect packet length allows remote attackers to obtain sensitive information. - CVE-2006-1518 Specially crafted request packets with invalid length values allow the execution of arbitrary code. The following vulnerability matrix shows which version of MySQL in which distribution has this problem fixed : woody sarge sid mysql 3.23.49-8.15 n/a n/a mysql-dfsg n/a 4.0.24-10sarge2 n/a mysql-dfsg-4.1 n/a 4.1.11a-4sarge3 n/a mysql-dfsg-5.0 n/a n/a 5.0.21-3
    last seen2020-06-01
    modified2020-06-02
    plugin id22615
    published2006-10-14
    reporterThis script is Copyright (C) 2006-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/22615
    titleDebian DSA-1073-1 : mysql-dfsg-4.1 - several vulnerabilities
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2006-553.NASL
    description5.0.21 fixes several moderate-severity security issues: see CVE-2006-0903 CVE-2006-1516 CVE-2006-1517 CVE-2006-1518, and our bugs 181335 182025 189054 190866 190868 190870 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id24105
    published2007-01-17
    reporterThis script is Copyright (C) 2007-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/24105
    titleFedora Core 5 : mysql-5.0.21-2.FC5.1 (2006-553)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2006-554.NASL
    description4.1.19 fixes several moderate-severity security issues: see CVE-2006-0903 CVE-2006-1516 CVE-2006-1517 CVE-2006-1518, also our bugs 180467 180639 182025 183261 190866 190868 190870 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id24106
    published2007-01-17
    reporterThis script is Copyright (C) 2007-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/24106
    titleFedora Core 4 : mysql-4.1.19-1.FC4.1 (2006-554)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2006-0544.NASL
    descriptionUpdated mysql packages that fix multiple security flaws are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. MySQL is a multi-user, multi-threaded SQL database server. MySQL is a client/server implementation consisting of a server daemon (mysqld) and many different client programs and libraries. A flaw was found in the way the MySQL mysql_real_escape() function escaped strings when operating in a multibyte character encoding. An attacker could provide an application a carefully crafted string containing invalidly-encoded characters which may be improperly escaped, leading to the injection of malicious SQL commands. (CVE-2006-2753) An information disclosure flaw was found in the way the MySQL server processed malformed usernames. An attacker could view a small portion of server memory by supplying an anonymous login username which was not null terminated. (CVE-2006-1516) An information disclosure flaw was found in the way the MySQL server executed the COM_TABLE_DUMP command. An authenticated malicious user could send a specially crafted packet to the MySQL server which returned random unallocated memory. (CVE-2006-1517) A log file obfuscation flaw was found in the way the mysql_real_query() function creates log file entries. An attacker with the the ability to call the mysql_real_query() function against a mysql server can obfuscate the entry the server will write to the log file. However, an attacker needed to have complete control over a server in order to attempt this attack. (CVE-2006-0903) This update also fixes numerous non-security-related flaws, such as intermittent authentication failures. All users of mysql are advised to upgrade to these updated packages containing MySQL version 4.1.20, which is not vulnerable to these issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id22000
    published2006-07-05
    reporterThis script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/22000
    titleCentOS 4 : mysql (CESA-2006:0544)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-1071.NASL
    descriptionSeveral vulnerabilities have been discovered in MySQL, a popular SQL database. The Common Vulnerabilities and Exposures Project identifies the following problems : - CVE-2006-0903 Improper handling of SQL queries containing the NULL character allows local users to bypass logging mechanisms. - CVE-2006-1516 Usernames without a trailing null byte allow remote attackers to read portions of memory. - CVE-2006-1517 A request with an incorrect packet length allows remote attackers to obtain sensitive information. - CVE-2006-1518 Specially crafted request packets with invalid length values allow the execution of arbitrary code. The following vulnerability matrix shows which version of MySQL in which distribution has this problem fixed : woody sarge sid mysql 3.23.49-8.15 n/a n/a mysql-dfsg n/a 4.0.24-10sarge2 n/a mysql-dfsg-4.1 n/a 4.1.11a-4sarge3 n/a mysql-dfsg-5.0 n/a n/a 5.0.21-3
    last seen2020-06-01
    modified2020-06-02
    plugin id22613
    published2006-10-14
    reporterThis script is Copyright (C) 2006-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/22613
    titleDebian DSA-1071-1 : mysql - several vulnerabilities
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-306-1.NASL
    descriptionMySQL did not correctly handle NULL as the second argument to the str_to_date() function. An authenticated user could exploit this to crash the server. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id27881
    published2007-11-10
    reporterUbuntu Security Notice (C) 2006-2019 Canonical, Inc. / NASL script (C) 2007-2016 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/27881
    titleUbuntu 5.10 : mysql-dfsg-4.1 vulnerability (USN-306-1)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SA_2006_036.NASL
    descriptionThe remote host is missing the patch for the advisory SUSE-SA:2006:036 (mysql). The database server MySQL was updated to fix the following security problems: - Attackers could read portions of memory by using a user name with trailing null byte or via COM_TABLE_DUMP command (CVE-2006-1516, CVE-2006-1517). - Attackers could potentially execute arbitrary code by causing a buffer overflow via specially crafted COM_TABLE_DUMP packets (CVE-2006-1518). The mysql server package was released on May 30th already, the mysql-Max server package was released on June 20th after additional bugfixes.
    last seen2019-10-28
    modified2007-02-18
    plugin id24416
    published2007-02-18
    reporterThis script is Copyright (C) 2007-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/24416
    titleSUSE-SA:2006:036: mysql
  • NASL familySuSE Local Security Checks
    NASL idSUSE_MYSQL-1312.NASL
    descriptionAttackers could read portions of memory by using a user name with trailing null byte or via COM_TABLE_DUMP command (CVE-2006-1516, CVE-2006-1517). Attackers could execute arbitrary code by causing a buffer overflow via specially crafted COM_TABLE_DUMP packets (CVE-2006-1518).
    last seen2020-06-01
    modified2020-06-02
    plugin id27356
    published2007-10-17
    reporterThis script is Copyright (C) 2007-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/27356
    titleopenSUSE 10 Security Update : mysql (mysql-1312)
  • NASL familyMacOS X Local Security Checks
    NASL idMACOSX_10_4_9.NASL
    descriptionThe remote host is running a version of Mac OS X 10.4 which is older than version 10.4.9 or a version of Mac OS X 10.3 which does not have Security Update 2007-003 applied. This update contains several security fixes for the following programs : - ColorSync - CoreGraphics - Crash Reporter - CUPS - Disk Images - DS Plugins - Flash Player - GNU Tar - HFS - HID Family - ImageIO - Kernel - MySQL server - Networking - OpenSSH - Printing - QuickDraw Manager - servermgrd - SMB File Server - Software Update - sudo - WebLog
    last seen2020-06-01
    modified2020-06-02
    plugin id24811
    published2007-03-13
    reporterThis script is Copyright (C) 2007-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/24811
    titleMac OS X < 10.4.9 Multiple Vulnerabilities (Security Update 2007-003)
  • NASL familySlackware Local Security Checks
    NASL idSLACKWARE_SSA_2006-129-02.NASL
    descriptionNew mysql packages are available for Slackware 10.2 and -current to fix security issues. The MySQL package shipped with Slackware 10.2 may possibly leak sensitive information found in uninitialized memory to authenticated users. The MySQL package previously in Slackware -current also suffered from these flaws, but an additional overflow could allow arbitrary code execution. Since the vulnerabilities require a valid login and/or access to the database server, the risk is moderate. Slackware does not provide network access to a MySQL database by default.
    last seen2020-06-01
    modified2020-06-02
    plugin id21345
    published2006-05-13
    reporterThis script is Copyright (C) 2006-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/21345
    titleSlackware 10.2 / current : mysql (SSA:2006-129-02)
  • NASL familyMandriva Local Security Checks
    NASL idMANDRAKE_MDKSA-2006-084.NASL
    descriptionThe check_connection function in sql_parse.cc in MySQL 4.0.x up to 4.0.26, 4.1.x up to 4.1.18, and 5.0.x up to 5.0.20 allows remote attackers to read portions of memory via a username without a trailing null byte, which causes a buffer over-read. (CVE-2006-1516) sql_parse.cc in MySQL 4.0.x up to 4.0.26, 4.1.x up to 4.1.18, and 5.0.x up to 5.0.20 allows remote attackers to obtain sensitive information via a COM_TABLE_DUMP request with an incorrect packet length, which includes portions of memory in an error message. (CVE-2006-1517) Updated packages have been patched to correct these issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id21359
    published2006-05-13
    reporterThis script is Copyright (C) 2006-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/21359
    titleMandrake Linux Security Advisory : MySQL (MDKSA-2006:084)
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-200605-13.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-200605-13 (MySQL: Information leakage) The processing of the COM_TABLE_DUMP command by a MySQL server fails to properly validate packets that arrive from the client via a network socket. Impact : By crafting specific malicious packets an attacker could gather confidential information from the memory of a MySQL server process, for example results of queries by other users or applications. By using PHP code injection or similar techniques it would be possible to exploit this flaw through web applications that use MySQL as a database backend. Note that on 5.x versions it is possible to overwrite the stack and execute arbitrary code with this technique. Users of MySQL 5.x are urged to upgrade to the latest available version. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id21355
    published2006-05-13
    reporterThis script is Copyright (C) 2006-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/21355
    titleGLSA-200605-13 : MySQL: Information leakage
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_4913886CE87511DAB9F400123FFE8333.NASL
    descriptionSecunia reports : MySQL have some vulnerabilities, which can be exploited by malicious users to disclose potentially sensitive information and compromise a vulnerable system. 1) An error within the code that generates an error response to an invalid COM_TABLE_DUMP packet can be exploited by an authenticated client to disclosure certain memory content of the server process. 2) A boundary error within the handling of specially crafted invalid COM_TABLE_DUMP packets can be exploited by an authenticated client to cause a buffer overflow and allows arbitrary code execution. 3) An error within the handling of malformed login packets can be exploited to disclosure certain memory content of the server process in the error messages.
    last seen2020-06-01
    modified2020-06-02
    plugin id21633
    published2006-06-05
    reporterThis script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/21633
    titleFreeBSD : MySQL -- Information Disclosure and Buffer Overflow Vulnerabilities (4913886c-e875-11da-b9f4-00123ffe8333)
  • NASL familySlackware Local Security Checks
    NASL idSLACKWARE_SSA_2006-155-01.NASL
    descriptionNew mysql packages are available for Slackware 9.1, 10.0, 10.1, 10.2 and -current to fix security issues. The MySQL packages shipped with Slackware 9.1, 10.0, and 10.1 may possibly leak sensitive information found in uninitialized memory to authenticated users. This is fixed in the new packages, and was already patched in Slackware 10.2 and -current. Since the vulnerabilities require a valid login and/or access to the database server, the risk is moderate. Slackware does not provide network access to a MySQL database by default.
    last seen2020-06-01
    modified2020-06-02
    plugin id21639
    published2006-06-05
    reporterThis script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/21639
    titleSlackware 10.0 / 10.1 / 10.2 / 9.1 / current : mysql (SSA:2006-155-01)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-1079.NASL
    descriptionSeveral vulnerabilities have been discovered in MySQL, a popular SQL database. The Common Vulnerabilities and Exposures Project identifies the following problems : - CVE-2006-0903 Improper handling of SQL queries containing the NULL character allows local users to bypass logging mechanisms. - CVE-2006-1516 Usernames without a trailing null byte allow remote attackers to read portions of memory. - CVE-2006-1517 A request with an incorrect packet length allows remote attackers to obtain sensitive information. - CVE-2006-1518 Specially crafted request packets with invalid length values allow the execution of arbitrary code. The following vulnerability matrix shows which version of MySQL in which distribution has this problem fixed : woody sarge sid mysql 3.23.49-8.15 n/a n/a mysql-dfsg n/a 4.0.24-10sarge2 n/a mysql-dfsg-4.1 n/a 4.1.11a-4sarge3 n/a mysql-dfsg-5.0 n/a n/a 5.0.21-3
    last seen2020-06-01
    modified2020-06-02
    plugin id22621
    published2006-10-14
    reporterThis script is Copyright (C) 2006-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/22621
    titleDebian DSA-1079-1 : mysql-dfsg - several vulnerabilities

Oval

accepted2013-04-29T04:23:18.906-04:00
classvulnerability
contributors
  • nameAharon Chernin
    organizationSCAP.com, LLC
  • nameDragos Prisaca
    organizationG2, Inc.
definition_extensions
  • commentThe operating system installed on the system is Red Hat Enterprise Linux 4
    ovaloval:org.mitre.oval:def:11831
  • commentCentOS Linux 4.x
    ovaloval:org.mitre.oval:def:16636
  • commentOracle Linux 4.x
    ovaloval:org.mitre.oval:def:15990
descriptionThe check_connection function in sql_parse.cc in MySQL 4.0.x up to 4.0.26, 4.1.x up to 4.1.18, and 5.0.x up to 5.0.20 allows remote attackers to read portions of memory via a username without a trailing null byte, which causes a buffer over-read.
familyunix
idoval:org.mitre.oval:def:9918
statusaccepted
submitted2010-07-09T03:56:16-04:00
titleThe check_connection function in sql_parse.cc in MySQL 4.0.x up to 4.0.26, 4.1.x up to 4.1.18, and 5.0.x up to 5.0.20 allows remote attackers to read portions of memory via a username without a trailing null byte, which causes a buffer over-read.
version26

Redhat

advisories
rhsa
idRHSA-2006:0544
rpms
  • mysql-0:4.1.20-1.RHEL4.1
  • mysql-bench-0:4.1.20-1.RHEL4.1
  • mysql-debuginfo-0:4.1.20-1.RHEL4.1
  • mysql-devel-0:4.1.20-1.RHEL4.1
  • mysql-server-0:4.1.20-1.RHEL4.1

References