Vulnerabilities > CVE-2006-1518

CVSS 0.0 - NONE

Attack vector

UNKNOWN

Attack complexity

UNKNOWN

Privileges required

UNKNOWN

Confidentiality impact

UNKNOWN

Integrity impact

UNKNOWN

Availability impact

UNKNOWN

mysql

oracle

nessus

exploit available

NVD

Published: 2006-05-05

Updated: 2024-11-21

Summary

Buffer overflow in the open_table function in sql_base.cc in MySQL 5.0.x up to 5.0.20 might allow remote attackers to execute arbitrary code via crafted COM_TABLE_DUMP packets with invalid length values.

Vulnerable Configurations

Part	Description	Count
Application	Mysql Mysql Mysql 5.0.5 Mysql Mysql 5.0.10 Mysql Mysql 5.0.15 Mysql Mysql 5.0.17 Mysql Mysql 5.0.3 Mysql Mysql 5.0.2 Mysql Mysql 5.0.20 Mysql Mysql 5.0.1 Mysql Mysql 5.0.4 Mysql Mysql 5.0.16	10
Application	Oracle Oracle Mysql 5.0.0 Oracle Mysql 5.0.3 Oracle Mysql 5.0.6 Oracle Mysql 5.0.11 Oracle Mysql 5.0.12 Oracle Mysql 5.0.13 Oracle Mysql 5.0.14 Oracle Mysql 5.0.18 Oracle Mysql 5.0.19 Oracle Mysql 5.0.7 Oracle Mysql 5.0.8 Oracle Mysql 5.0.9	12

Exploit-Db

description	MySQL <= 5.0.20 COM_TABLE_DUMP Memory Leak/Remote BoF Exploit. CVE-2006-1518. Remote exploit for linux platform
id	EDB-ID:1741
last seen	2016-01-31
modified	2006-05-02
published	2006-05-02
reporter	Stefano Di Paola
source	https://www.exploit-db.com/download/1741/
title	MySQL <= 5.0.20 COM_TABLE_DUMP Memory Leak/Remote BoF Exploit

Nessus

NASL family	Databases
NASL id	MYSQL_5_0_21.NASL
description	The version of MySQL installed on the remote host is earlier than 4.0.27 / 4.1.19 / 5.0.21. As such, it is potentially affected by the following vulnerabilities : - A remote attacker may be able to read portions of memory by sending a specially crafted login packet in which the username does not have a trailing NULL. (CVE-2006-1516) - A remote attacker may be able to read portions of memory by sending a specially crafted COM_TABLE_DUMP request with an incorrect packet length. (CVE-2006-1517) - A buffer overflow in the
last seen	2020-06-01
modified	2020-06-02
plugin id	17697
published	2011-11-18
reporter	This script is Copyright (C) 2011-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/17697
title	MySQL < 4.0.27 / 4.1.19 / 5.0.21 Multiple Vulnerabilities
code	# # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(17697); script_version("1.8"); script_cvs_date("Date: 2018/11/15 20:50:21"); script_cve_id("CVE-2006-1516", "CVE-2006-1517", "CVE-2006-1518"); script_bugtraq_id(17780); script_xref(name:"CERT", value:"602457"); script_name(english:"MySQL < 4.0.27 / 4.1.19 / 5.0.21 Multiple Vulnerabilities"); script_summary(english:"Checks version of MySQL Server"); script_set_attribute(attribute:"synopsis", value: "The remote database server is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "The version of MySQL installed on the remote host is earlier than 4.0.27 / 4.1.19 / 5.0.21. As such, it is potentially affected by the following vulnerabilities : - A remote attacker may be able to read portions of memory by sending a specially crafted login packet in which the username does not have a trailing NULL. (CVE-2006-1516) - A remote attacker may be able to read portions of memory by sending a specially crafted COM_TABLE_DUMP request with an incorrect packet length. (CVE-2006-1517) - A buffer overflow in the 'open_table()' function could allow a remote, authenticated attacker to execute arbitrary code via specially crafted COM_TABLE_DUMP packets. (CVE-2006-1518)"); script_set_attribute(attribute:"see_also", value:"http://dev.mysql.com/doc/refman/4.1/en/news-4-0-27.html"); script_set_attribute(attribute:"see_also", value:"http://dev.mysql.com/doc/refman/4.1/en/news-4-1-19.html"); script_set_attribute(attribute:"see_also", value:"http://dev.mysql.com/doc/refman/5.0/en/news-5-0-21.html"); script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/archive/1/432734/100/0/threaded"); script_set_attribute(attribute:"solution", value: "Upgrade to MySQL version 4.0.27 / 4.1.19 / 5.0.21 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2006/05/02"); script_set_attribute(attribute:"plugin_publication_date", value:"2011/11/18"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:mysql:mysql"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Databases"); script_copyright(english:"This script is Copyright (C) 2011-2018 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("mysql_version.nasl", "mysql_login.nasl"); script_require_ports("Services/mysql", 3306); script_require_keys("Settings/ParanoidReport"); exit(0); } include("global_settings.inc"); include("misc_func.inc"); include("mysql_func.inc"); # nb: banner checks of open source software are prone to false- # positives so only run the check if reporting is paranoid. if (report_paranoia < 2) exit(1, "This plugin only runs if 'Report paranoia' is set to 'Paranoid'."); port = get_service(svc:"mysql", default:3306, exit_on_fail:TRUE); if (!mysql_init(port:port, exit_on_fail:TRUE) == 1) exit(1, "Can't establish a connection to the MySQL server listening on port "+port+"."); version = mysql_get_version(); mysql_close(); if (!strlen(version)) exit(1, "Can't get the version of the MySQL server listening on port "+port+"."); if ( version =~ "^4\.0\.([01]?[0-9]\|2[0-6])($\|[^0-9])" \|\| version =~ "^4\.1\.(0?[0-9]\|1[0-8])($\|[^0-9])" \|\| version =~ "^5\.0\.([01]?[0-9]\|20)($\|[^0-9])" ) { if (report_verbosity > 0) { report = '\n Installed version : ' + version + '\n Fixed version : 4.0.27 / 4.1.19 / 5.0.21' + '\n'; datadir = get_kb_item('mysql/' + port + '/datadir'); if (!empty_or_null(datadir)) { report += ' Data Dir : ' + datadir + '\n'; } databases = get_kb_item('mysql/' + port + '/databases'); if (!empty_or_null(databases)) { report += ' Databases :\n' + databases; } security_warning(port:port, extra:report); } else security_warning(port); exit(0); } else exit(0, "The MySQL "+version+" server listening on port "+port+" is not affected.");

NASL family	Debian Local Security Checks
NASL id	DEBIAN_DSA-1073.NASL
description	Several vulnerabilities have been discovered in MySQL, a popular SQL database. The Common Vulnerabilities and Exposures Project identifies the following problems : - CVE-2006-0903 Improper handling of SQL queries containing the NULL character allows local users to bypass logging mechanisms. - CVE-2006-1516 Usernames without a trailing null byte allow remote attackers to read portions of memory. - CVE-2006-1517 A request with an incorrect packet length allows remote attackers to obtain sensitive information. - CVE-2006-1518 Specially crafted request packets with invalid length values allow the execution of arbitrary code. The following vulnerability matrix shows which version of MySQL in which distribution has this problem fixed : woody sarge sid mysql 3.23.49-8.15 n/a n/a mysql-dfsg n/a 4.0.24-10sarge2 n/a mysql-dfsg-4.1 n/a 4.1.11a-4sarge3 n/a mysql-dfsg-5.0 n/a n/a 5.0.21-3
last seen	2020-06-01
modified	2020-06-02
plugin id	22615
published	2006-10-14
reporter	This script is Copyright (C) 2006-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/22615
title	Debian DSA-1073-1 : mysql-dfsg-4.1 - several vulnerabilities
code	#%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-1073. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(22615); script_version("1.20"); script_cvs_date("Date: 2019/08/02 13:32:19"); script_cve_id("CVE-2006-0903", "CVE-2006-1516", "CVE-2006-1517", "CVE-2006-1518"); script_bugtraq_id(16850, 17780); script_xref(name:"CERT", value:"602457"); script_xref(name:"DSA", value:"1073"); script_name(english:"Debian DSA-1073-1 : mysql-dfsg-4.1 - several vulnerabilities"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Several vulnerabilities have been discovered in MySQL, a popular SQL database. The Common Vulnerabilities and Exposures Project identifies the following problems : - CVE-2006-0903 Improper handling of SQL queries containing the NULL character allows local users to bypass logging mechanisms. - CVE-2006-1516 Usernames without a trailing null byte allow remote attackers to read portions of memory. - CVE-2006-1517 A request with an incorrect packet length allows remote attackers to obtain sensitive information. - CVE-2006-1518 Specially crafted request packets with invalid length values allow the execution of arbitrary code. The following vulnerability matrix shows which version of MySQL in which distribution has this problem fixed : woody sarge sid mysql 3.23.49-8.15 n/a n/a mysql-dfsg n/a 4.0.24-10sarge2 n/a mysql-dfsg-4.1 n/a 4.1.11a-4sarge3 n/a mysql-dfsg-5.0 n/a n/a 5.0.21-3" ); script_set_attribute( attribute:"see_also", value:"http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=366043" ); script_set_attribute( attribute:"see_also", value:"http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=366048" ); script_set_attribute( attribute:"see_also", value:"http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=366162" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2006-0903" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2006-1516" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2006-1517" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2006-1518" ); script_set_attribute( attribute:"see_also", value:"http://www.debian.org/security/2006/dsa-1073" ); script_set_attribute(attribute:"solution", value:"Upgrade the mysql packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:mysql-dfsg-4.1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.1"); script_set_attribute(attribute:"patch_publication_date", value:"2006/05/22"); script_set_attribute(attribute:"plugin_publication_date", value:"2006/10/14"); script_set_attribute(attribute:"vuln_publication_date", value:"2006/02/25"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2006-2019 Tenable Network Security, Inc."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"3.1", prefix:"libmysqlclient14", reference:"4.1.11a-4sarge3")) flag++; if (deb_check(release:"3.1", prefix:"libmysqlclient14-dev", reference:"4.1.11a-4sarge3")) flag++; if (deb_check(release:"3.1", prefix:"mysql-client-4.1", reference:"4.1.11a-4sarge3")) flag++; if (deb_check(release:"3.1", prefix:"mysql-common-4.1", reference:"4.1.11a-4sarge3")) flag++; if (deb_check(release:"3.1", prefix:"mysql-server-4.1", reference:"4.1.11a-4sarge3")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");

NASL family	Fedora Local Security Checks
NASL id	FEDORA_2006-553.NASL
description	5.0.21 fixes several moderate-severity security issues: see CVE-2006-0903 CVE-2006-1516 CVE-2006-1517 CVE-2006-1518, and our bugs 181335 182025 189054 190866 190868 190870 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-01
modified	2020-06-02
plugin id	24105
published	2007-01-17
reporter	This script is Copyright (C) 2007-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/24105
title	Fedora Core 5 : mysql-5.0.21-2.FC5.1 (2006-553)
code	#%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2006-553. # include("compat.inc"); if (description) { script_id(24105); script_version ("1.14"); script_cvs_date("Date: 2019/08/02 13:32:24"); script_xref(name:"FEDORA", value:"2006-553"); script_name(english:"Fedora Core 5 : mysql-5.0.21-2.FC5.1 (2006-553)"); script_summary(english:"Checks rpm output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora Core host is missing a security update." ); script_set_attribute( attribute:"description", value: "5.0.21 fixes several moderate-severity security issues: see CVE-2006-0903 CVE-2006-1516 CVE-2006-1517 CVE-2006-1518, and our bugs 181335 182025 189054 190866 190868 190870 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); # https://lists.fedoraproject.org/pipermail/package-announce/2006-May/000078.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?1af83b43" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_attribute(attribute:"risk_factor", value:"High"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:mysql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:mysql-bench"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:mysql-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:mysql-server"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:mysql-test"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora_core:5"); script_set_attribute(attribute:"patch_publication_date", value:"2006/05/17"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/01/17"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2007-2019 Tenable Network Security, Inc."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) \|\| "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^5([^0-9]\|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 5.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC5", reference:"mysql-5.0.21-2.FC5.1")) flag++; if (rpm_check(release:"FC5", reference:"mysql-bench-5.0.21-2.FC5.1")) flag++; if (rpm_check(release:"FC5", reference:"mysql-devel-5.0.21-2.FC5.1")) flag++; if (rpm_check(release:"FC5", reference:"mysql-server-5.0.21-2.FC5.1")) flag++; if (rpm_check(release:"FC5", reference:"mysql-test-5.0.21-2.FC5.1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "mysql / mysql-bench / mysql-devel / mysql-server / mysql-test"); }

NASL family	Fedora Local Security Checks
NASL id	FEDORA_2006-554.NASL
description	4.1.19 fixes several moderate-severity security issues: see CVE-2006-0903 CVE-2006-1516 CVE-2006-1517 CVE-2006-1518, also our bugs 180467 180639 182025 183261 190866 190868 190870 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-01
modified	2020-06-02
plugin id	24106
published	2007-01-17
reporter	This script is Copyright (C) 2007-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/24106
title	Fedora Core 4 : mysql-4.1.19-1.FC4.1 (2006-554)
code	#%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2006-554. # include("compat.inc"); if (description) { script_id(24106); script_version ("1.14"); script_cvs_date("Date: 2019/08/02 13:32:24"); script_xref(name:"FEDORA", value:"2006-554"); script_name(english:"Fedora Core 4 : mysql-4.1.19-1.FC4.1 (2006-554)"); script_summary(english:"Checks rpm output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora Core host is missing a security update." ); script_set_attribute( attribute:"description", value: "4.1.19 fixes several moderate-severity security issues: see CVE-2006-0903 CVE-2006-1516 CVE-2006-1517 CVE-2006-1518, also our bugs 180467 180639 182025 183261 190866 190868 190870 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); # https://lists.fedoraproject.org/pipermail/package-announce/2006-May/000079.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?917bd654" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_attribute(attribute:"risk_factor", value:"High"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:mysql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:mysql-bench"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:mysql-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:mysql-server"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora_core:4"); script_set_attribute(attribute:"patch_publication_date", value:"2006/05/17"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/01/17"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2007-2019 Tenable Network Security, Inc."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) \|\| "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^4([^0-9]\|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 4.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC4", reference:"mysql-4.1.19-1.FC4.1")) flag++; if (rpm_check(release:"FC4", reference:"mysql-bench-4.1.19-1.FC4.1")) flag++; if (rpm_check(release:"FC4", reference:"mysql-devel-4.1.19-1.FC4.1")) flag++; if (rpm_check(release:"FC4", reference:"mysql-server-4.1.19-1.FC4.1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "mysql / mysql-bench / mysql-devel / mysql-server"); }

NASL family	Debian Local Security Checks
NASL id	DEBIAN_DSA-1071.NASL
description	Several vulnerabilities have been discovered in MySQL, a popular SQL database. The Common Vulnerabilities and Exposures Project identifies the following problems : - CVE-2006-0903 Improper handling of SQL queries containing the NULL character allows local users to bypass logging mechanisms. - CVE-2006-1516 Usernames without a trailing null byte allow remote attackers to read portions of memory. - CVE-2006-1517 A request with an incorrect packet length allows remote attackers to obtain sensitive information. - CVE-2006-1518 Specially crafted request packets with invalid length values allow the execution of arbitrary code. The following vulnerability matrix shows which version of MySQL in which distribution has this problem fixed : woody sarge sid mysql 3.23.49-8.15 n/a n/a mysql-dfsg n/a 4.0.24-10sarge2 n/a mysql-dfsg-4.1 n/a 4.1.11a-4sarge3 n/a mysql-dfsg-5.0 n/a n/a 5.0.21-3
last seen	2020-06-01
modified	2020-06-02
plugin id	22613
published	2006-10-14
reporter	This script is Copyright (C) 2006-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/22613
title	Debian DSA-1071-1 : mysql - several vulnerabilities
code	#%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-1071. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(22613); script_version("1.17"); script_cvs_date("Date: 2019/08/02 13:32:19"); script_cve_id("CVE-2006-0903", "CVE-2006-1516", "CVE-2006-1517", "CVE-2006-1518"); script_bugtraq_id(16850, 17780); script_xref(name:"DSA", value:"1071"); script_name(english:"Debian DSA-1071-1 : mysql - several vulnerabilities"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Several vulnerabilities have been discovered in MySQL, a popular SQL database. The Common Vulnerabilities and Exposures Project identifies the following problems : - CVE-2006-0903 Improper handling of SQL queries containing the NULL character allows local users to bypass logging mechanisms. - CVE-2006-1516 Usernames without a trailing null byte allow remote attackers to read portions of memory. - CVE-2006-1517 A request with an incorrect packet length allows remote attackers to obtain sensitive information. - CVE-2006-1518 Specially crafted request packets with invalid length values allow the execution of arbitrary code. The following vulnerability matrix shows which version of MySQL in which distribution has this problem fixed : woody sarge sid mysql 3.23.49-8.15 n/a n/a mysql-dfsg n/a 4.0.24-10sarge2 n/a mysql-dfsg-4.1 n/a 4.1.11a-4sarge3 n/a mysql-dfsg-5.0 n/a n/a 5.0.21-3" ); script_set_attribute( attribute:"see_also", value:"http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=366044" ); script_set_attribute( attribute:"see_also", value:"http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=366049" ); script_set_attribute( attribute:"see_also", value:"http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=366163" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2006-0903" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2006-1516" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2006-1517" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2006-1518" ); script_set_attribute( attribute:"see_also", value:"http://www.debian.org/security/2006/dsa-1071" ); script_set_attribute(attribute:"solution", value:"Upgrade the mysql packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:mysql"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.0"); script_set_attribute(attribute:"patch_publication_date", value:"2006/05/22"); script_set_attribute(attribute:"plugin_publication_date", value:"2006/10/14"); script_set_attribute(attribute:"vuln_publication_date", value:"2006/02/25"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2006-2019 Tenable Network Security, Inc."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"3.0", prefix:"libmysqlclient10", reference:"3.23.49-8.15")) flag++; if (deb_check(release:"3.0", prefix:"libmysqlclient10-dev", reference:"3.23.49-8.15")) flag++; if (deb_check(release:"3.0", prefix:"mysql-client", reference:"3.23.49-8.15")) flag++; if (deb_check(release:"3.0", prefix:"mysql-common", reference:"3.23.49-8.15")) flag++; if (deb_check(release:"3.0", prefix:"mysql-doc", reference:"3.23.49-8.5")) flag++; if (deb_check(release:"3.0", prefix:"mysql-server", reference:"3.23.49-8.15")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");

NASL family	Ubuntu Local Security Checks
NASL id	UBUNTU_USN-306-1.NASL
description	MySQL did not correctly handle NULL as the second argument to the str_to_date() function. An authenticated user could exploit this to crash the server. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-01
modified	2020-06-02
plugin id	27881
published	2007-11-10
reporter	Ubuntu Security Notice (C) 2006-2019 Canonical, Inc. / NASL script (C) 2007-2016 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/27881
title	Ubuntu 5.10 : mysql-dfsg-4.1 vulnerability (USN-306-1)
code	#%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Ubuntu Security Notice USN-306-1. The text # itself is copyright (C) Canonical, Inc. See # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered # trademark of Canonical, Inc. # include("compat.inc"); if (description) { script_id(27881); script_version("1.14"); script_cvs_date("Date: 2019/08/02 13:33:01"); script_cve_id("CVE-2006-1516", "CVE-2006-1517", "CVE-2006-1518", "CVE-2006-3081"); script_xref(name:"USN", value:"306-1"); script_name(english:"Ubuntu 5.10 : mysql-dfsg-4.1 vulnerability (USN-306-1)"); script_summary(english:"Checks dpkg output for updated packages."); script_set_attribute( attribute:"synopsis", value: "The remote Ubuntu host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "MySQL did not correctly handle NULL as the second argument to the str_to_date() function. An authenticated user could exploit this to crash the server. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libmysqlclient14"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libmysqlclient14-dev"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:mysql-client-4.1"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:mysql-common-4.1"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:mysql-server-4.1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:5.10"); script_set_attribute(attribute:"patch_publication_date", value:"2006/06/27"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/11/10"); script_set_attribute(attribute:"vuln_publication_date", value:"2006/05/02"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"Ubuntu Security Notice (C) 2006-2019 Canonical, Inc. / NASL script (C) 2007-2016 Tenable Network Security, Inc."); script_family(english:"Ubuntu Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("ubuntu.inc"); include("misc_func.inc"); if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/Ubuntu/release"); if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu"); release = chomp(release); if (! ereg(pattern:"^(5\.10)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 5.10", "Ubuntu " + release); if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu); flag = 0; if (ubuntu_check(osver:"5.10", pkgname:"libmysqlclient14", pkgver:"4.1.12-1ubuntu3.6")) flag++; if (ubuntu_check(osver:"5.10", pkgname:"libmysqlclient14-dev", pkgver:"4.1.12-1ubuntu3.6")) flag++; if (ubuntu_check(osver:"5.10", pkgname:"mysql-client-4.1", pkgver:"4.1.12-1ubuntu3.6")) flag++; if (ubuntu_check(osver:"5.10", pkgname:"mysql-common-4.1", pkgver:"4.1.12-1ubuntu3.6")) flag++; if (ubuntu_check(osver:"5.10", pkgname:"mysql-server-4.1", pkgver:"4.1.12-1ubuntu3.6")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : ubuntu_report_get() ); exit(0); } else { tested = ubuntu_pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libmysqlclient14 / libmysqlclient14-dev / mysql-client-4.1 / etc"); }

NASL family	SuSE Local Security Checks
NASL id	SUSE_SA_2006_036.NASL
description	The remote host is missing the patch for the advisory SUSE-SA:2006:036 (mysql). The database server MySQL was updated to fix the following security problems: - Attackers could read portions of memory by using a user name with trailing null byte or via COM_TABLE_DUMP command (CVE-2006-1516, CVE-2006-1517). - Attackers could potentially execute arbitrary code by causing a buffer overflow via specially crafted COM_TABLE_DUMP packets (CVE-2006-1518). The mysql server package was released on May 30th already, the mysql-Max server package was released on June 20th after additional bugfixes.
last seen	2019-10-28
modified	2007-02-18
plugin id	24416
published	2007-02-18
reporter	This script is Copyright (C) 2007-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/24416
title	SUSE-SA:2006:036: mysql

NASL family	SuSE Local Security Checks
NASL id	SUSE_MYSQL-1312.NASL
description	Attackers could read portions of memory by using a user name with trailing null byte or via COM_TABLE_DUMP command (CVE-2006-1516, CVE-2006-1517). Attackers could execute arbitrary code by causing a buffer overflow via specially crafted COM_TABLE_DUMP packets (CVE-2006-1518).
last seen	2020-06-01
modified	2020-06-02
plugin id	27356
published	2007-10-17
reporter	This script is Copyright (C) 2007-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/27356
title	openSUSE 10 Security Update : mysql (mysql-1312)

NASL family	Slackware Local Security Checks
NASL id	SLACKWARE_SSA_2006-129-02.NASL
description	New mysql packages are available for Slackware 10.2 and -current to fix security issues. The MySQL package shipped with Slackware 10.2 may possibly leak sensitive information found in uninitialized memory to authenticated users. The MySQL package previously in Slackware -current also suffered from these flaws, but an additional overflow could allow arbitrary code execution. Since the vulnerabilities require a valid login and/or access to the database server, the risk is moderate. Slackware does not provide network access to a MySQL database by default.
last seen	2020-06-01
modified	2020-06-02
plugin id	21345
published	2006-05-13
reporter	This script is Copyright (C) 2006-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/21345
title	Slackware 10.2 / current : mysql (SSA:2006-129-02)

NASL family	FreeBSD Local Security Checks
NASL id	FREEBSD_PKG_4913886CE87511DAB9F400123FFE8333.NASL
description	Secunia reports : MySQL have some vulnerabilities, which can be exploited by malicious users to disclose potentially sensitive information and compromise a vulnerable system. 1) An error within the code that generates an error response to an invalid COM_TABLE_DUMP packet can be exploited by an authenticated client to disclosure certain memory content of the server process. 2) A boundary error within the handling of specially crafted invalid COM_TABLE_DUMP packets can be exploited by an authenticated client to cause a buffer overflow and allows arbitrary code execution. 3) An error within the handling of malformed login packets can be exploited to disclosure certain memory content of the server process in the error messages.
last seen	2020-06-01
modified	2020-06-02
plugin id	21633
published	2006-06-05
reporter	This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/21633
title	FreeBSD : MySQL -- Information Disclosure and Buffer Overflow Vulnerabilities (4913886c-e875-11da-b9f4-00123ffe8333)

NASL family	FreeBSD Local Security Checks
NASL id	FREEBSD_PKG_A8D8713EDC8311DAA22B000C6EC775D9.NASL
description	Stefano Di Paola reports : An authenticated user could remotely execute arbitrary commands by taking advantage of a stack overflow. To take advantage of these flaws an attacker should have direct access to MySQL server communication layer (port 3306 or unix socket). But if used in conjuction with some web application flaws (i.e. php code injection) an attacker could use socket programming (i.e. php sockets) to gain access to that layer.
last seen	2020-06-01
modified	2020-06-02
plugin id	21492
published	2006-05-13
reporter	This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/21492
title	FreeBSD : mysql50-server -- COM_TABLE_DUMP arbitrary code execution (a8d8713e-dc83-11da-a22b-000c6ec775d9)

NASL family	Debian Local Security Checks
NASL id	DEBIAN_DSA-1079.NASL
description	Several vulnerabilities have been discovered in MySQL, a popular SQL database. The Common Vulnerabilities and Exposures Project identifies the following problems : - CVE-2006-0903 Improper handling of SQL queries containing the NULL character allows local users to bypass logging mechanisms. - CVE-2006-1516 Usernames without a trailing null byte allow remote attackers to read portions of memory. - CVE-2006-1517 A request with an incorrect packet length allows remote attackers to obtain sensitive information. - CVE-2006-1518 Specially crafted request packets with invalid length values allow the execution of arbitrary code. The following vulnerability matrix shows which version of MySQL in which distribution has this problem fixed : woody sarge sid mysql 3.23.49-8.15 n/a n/a mysql-dfsg n/a 4.0.24-10sarge2 n/a mysql-dfsg-4.1 n/a 4.1.11a-4sarge3 n/a mysql-dfsg-5.0 n/a n/a 5.0.21-3
last seen	2020-06-01
modified	2020-06-02
plugin id	22621
published	2006-10-14
reporter	This script is Copyright (C) 2006-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/22621
title	Debian DSA-1079-1 : mysql-dfsg - several vulnerabilities

Vulnerabilities > CVE-2006-1518 {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"Vulnerabilities","item":"https://cyber.vumetric.com/vulns/"},{"@type":"ListItem","position":2,"name":"CVE-2006-1518"}]}

Summary

Vulnerable Configurations

Exploit-Db

Nessus

References

Vulnerabilities > CVE-2006-1518