Vulnerabilities > CVE-2006-2753 - SQL Injection vulnerability in MySQL Mysql_real_escape Function
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
SQL injection vulnerability in MySQL 4.1.x before 4.1.20 and 5.0.x before 5.0.22 allows context-dependent attackers to execute arbitrary SQL commands via crafted multibyte encodings in character sets such as SJIS, BIG5, and GBK, which are not properly handled when the mysql_real_escape function is used to escape the input.
Vulnerable Configurations
Nessus
NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2006-0544.NASL description Updated mysql packages that fix multiple security flaws are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. MySQL is a multi-user, multi-threaded SQL database server. MySQL is a client/server implementation consisting of a server daemon (mysqld) and many different client programs and libraries. A flaw was found in the way the MySQL mysql_real_escape() function escaped strings when operating in a multibyte character encoding. An attacker could provide an application a carefully crafted string containing invalidly-encoded characters which may be improperly escaped, leading to the injection of malicious SQL commands. (CVE-2006-2753) An information disclosure flaw was found in the way the MySQL server processed malformed usernames. An attacker could view a small portion of server memory by supplying an anonymous login username which was not null terminated. (CVE-2006-1516) An information disclosure flaw was found in the way the MySQL server executed the COM_TABLE_DUMP command. An authenticated malicious user could send a specially crafted packet to the MySQL server which returned random unallocated memory. (CVE-2006-1517) A log file obfuscation flaw was found in the way the mysql_real_query() function creates log file entries. An attacker with the the ability to call the mysql_real_query() function against a mysql server can obfuscate the entry the server will write to the log file. However, an attacker needed to have complete control over a server in order to attempt this attack. (CVE-2006-0903) This update also fixes numerous non-security-related flaws, such as intermittent authentication failures. All users of mysql are advised to upgrade to these updated packages containing MySQL version 4.1.20, which is not vulnerable to these issues. last seen 2020-06-01 modified 2020-06-02 plugin id 21683 published 2006-06-11 reporter This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/21683 title RHEL 4 : mysql (RHSA-2006:0544) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2006:0544. The text # itself is copyright (C) Red Hat, Inc. # include("compat.inc"); if (description) { script_id(21683); script_version ("1.24"); script_cvs_date("Date: 2019/10/25 13:36:12"); script_cve_id("CVE-2006-0903", "CVE-2006-1516", "CVE-2006-1517", "CVE-2006-2753", "CVE-2006-3081", "CVE-2006-4380"); script_bugtraq_id(17780); script_xref(name:"RHSA", value:"2006:0544"); script_name(english:"RHEL 4 : mysql (RHSA-2006:0544)"); script_summary(english:"Checks the rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Red Hat host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Updated mysql packages that fix multiple security flaws are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. MySQL is a multi-user, multi-threaded SQL database server. MySQL is a client/server implementation consisting of a server daemon (mysqld) and many different client programs and libraries. A flaw was found in the way the MySQL mysql_real_escape() function escaped strings when operating in a multibyte character encoding. An attacker could provide an application a carefully crafted string containing invalidly-encoded characters which may be improperly escaped, leading to the injection of malicious SQL commands. (CVE-2006-2753) An information disclosure flaw was found in the way the MySQL server processed malformed usernames. An attacker could view a small portion of server memory by supplying an anonymous login username which was not null terminated. (CVE-2006-1516) An information disclosure flaw was found in the way the MySQL server executed the COM_TABLE_DUMP command. An authenticated malicious user could send a specially crafted packet to the MySQL server which returned random unallocated memory. (CVE-2006-1517) A log file obfuscation flaw was found in the way the mysql_real_query() function creates log file entries. An attacker with the the ability to call the mysql_real_query() function against a mysql server can obfuscate the entry the server will write to the log file. However, an attacker needed to have complete control over a server in order to attempt this attack. (CVE-2006-0903) This update also fixes numerous non-security-related flaws, such as intermittent authentication failures. All users of mysql are advised to upgrade to these updated packages containing MySQL version 4.1.20, which is not vulnerable to these issues." ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2006-0903" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2006-1516" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2006-1517" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2006-2753" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2006-3081" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2006-4380" ); # http://lists.mysql.com/announce/364 script_set_attribute( attribute:"see_also", value:"https://lists.mysql.com/announce/364" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2006:0544" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:mysql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:mysql-bench"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:mysql-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:mysql-server"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:4"); script_set_attribute(attribute:"vuln_publication_date", value:"2006/02/27"); script_set_attribute(attribute:"patch_publication_date", value:"2006/06/08"); script_set_attribute(attribute:"plugin_publication_date", value:"2006/06/11"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Red Hat Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat"); os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat"); os_ver = os_ver[1]; if (! preg(pattern:"^4([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 4.x", "Red Hat " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu); yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo"); if (!empty_or_null(yum_updateinfo)) { rhsa = "RHSA-2006:0544"; yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa); if (!empty_or_null(yum_report)) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : yum_report ); exit(0); } else { audit_message = "affected by Red Hat security advisory " + rhsa; audit(AUDIT_OS_NOT, audit_message); } } else { flag = 0; if (rpm_check(release:"RHEL4", reference:"mysql-4.1.20-1.RHEL4.1")) flag++; if (rpm_check(release:"RHEL4", reference:"mysql-bench-4.1.20-1.RHEL4.1")) flag++; if (rpm_check(release:"RHEL4", reference:"mysql-devel-4.1.20-1.RHEL4.1")) flag++; if (rpm_check(release:"RHEL4", reference:"mysql-server-4.1.20-1.RHEL4.1")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() + redhat_report_package_caveat() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "mysql / mysql-bench / mysql-devel / mysql-server"); } }
NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-288-3.NASL description USN-288-1 described a PostgreSQL client vulnerability in the way the >> last seen 2020-06-01 modified 2020-06-02 plugin id 27859 published 2007-11-10 reporter Ubuntu Security Notice (C) 2007-2019 Canonical, Inc. / NASL script (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/27859 title Ubuntu 5.04 / 5.10 / 6.06 LTS : dovecot, exim4, postfix vulnerabilities (USN-288-3) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Ubuntu Security Notice USN-288-3. The text # itself is copyright (C) Canonical, Inc. See # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered # trademark of Canonical, Inc. # include("compat.inc"); if (description) { script_id(27859); script_version("1.12"); script_cvs_date("Date: 2019/08/02 13:33:00"); script_cve_id("CVE-2006-2313", "CVE-2006-2314", "CVE-2006-2753"); script_xref(name:"USN", value:"288-3"); script_name(english:"Ubuntu 5.04 / 5.10 / 6.06 LTS : dovecot, exim4, postfix vulnerabilities (USN-288-3)"); script_summary(english:"Checks dpkg output for updated packages."); script_set_attribute( attribute:"synopsis", value: "The remote Ubuntu host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "USN-288-1 described a PostgreSQL client vulnerability in the way the >>'<< character is escaped in SQL queries. It was determined that the PostgreSQL backends of Exim, Dovecot, and Postfix used this unsafe escaping method. For reference, these are the details of the original USN : CVE-2006-2313: Akio Ishida and Yasuo Ohgaki discovered a weakness in the handling of invalidly-encoded multibyte text data. If a client application processed untrusted input without respecting its encoding and applied standard string escaping techniques (such as replacing a single quote >>'<< with >>\'<< or >>''<<), the PostgreSQL server could interpret the resulting string in a way that allowed an attacker to inject arbitrary SQL commands into the resulting SQL query. The PostgreSQL server has been modified to reject such invalidly encoded strings now, which completely fixes the problem for some 'safe' multibyte encodings like UTF-8. CVE-2006-2314: However, there are some less popular and client-only multibyte encodings (such as SJIS, BIG5, GBK, GB18030, and UHC) which contain valid multibyte characters that end with the byte 0x5c, which is the representation of the backslash character >>\<< in ASCII. Many client libraries and applications use the non-standard, but popular way of escaping the >>'<< character by replacing all occurences of it with >>\'<<. If a client application uses one of the affected encodings and does not interpret multibyte characters, and an attacker supplies a specially crafted byte sequence as an input string parameter, this escaping method would then produce a validly-encoded character and an excess >>'<< character which would end the string. All subsequent characters would then be interpreted as SQL code, so the attacker could execute arbitrary SQL commands. To fix this vulnerability end-to-end, client-side applications must be fixed to properly interpret multibyte encodings and use >>''<< instead of >>\'<<. However, as a precautionary measure, the sequence >>\'<< is now regarded as invalid when one of the affected client encodings is in use. If you depend on the previous behaviour, you can restore it by setting 'backslash_quote = on' in postgresql.conf. However, please be aware that this could render you vulnerable again. This issue does not affect you if you only use single-byte (like SQL_ASCII or the ISO-8859-X family) or unaffected multibyte (like UTF-8) encodings. Please see http://www.postgresql.org/docs/techdocs.50 for further details. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://usn.ubuntu.com/288-3/" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:dovecot"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:dovecot-common"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:dovecot-imapd"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:dovecot-pop3d"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:exim4"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:exim4-base"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:exim4-config"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:exim4-daemon-heavy"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:exim4-daemon-light"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:eximon4"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:postfix"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:postfix-dev"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:postfix-doc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:postfix-ldap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:postfix-mysql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:postfix-pcre"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:postfix-pgsql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:postfix-tls"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:5.04"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:5.10"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:6.06:-:lts"); script_set_attribute(attribute:"patch_publication_date", value:"2006/06/09"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/11/10"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"Ubuntu Security Notice (C) 2007-2019 Canonical, Inc. / NASL script (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Ubuntu Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("ubuntu.inc"); include("misc_func.inc"); if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/Ubuntu/release"); if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu"); release = chomp(release); if (! ereg(pattern:"^(5\.04|5\.10|6\.06)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 5.04 / 5.10 / 6.06", "Ubuntu " + release); if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu); flag = 0; if (ubuntu_check(osver:"5.04", pkgname:"dovecot", pkgver:"0.99.13-3ubuntu0.1")) flag++; if (ubuntu_check(osver:"5.04", pkgname:"dovecot-common", pkgver:"0.99.13-3ubuntu0.1")) flag++; if (ubuntu_check(osver:"5.04", pkgname:"dovecot-imapd", pkgver:"0.99.13-3ubuntu0.1")) flag++; if (ubuntu_check(osver:"5.04", pkgname:"dovecot-pop3d", pkgver:"0.99.13-3ubuntu0.1")) flag++; if (ubuntu_check(osver:"5.04", pkgname:"exim4", pkgver:"4.34-10ubuntu0.1")) flag++; if (ubuntu_check(osver:"5.04", pkgname:"exim4-base", pkgver:"4.34-10ubuntu0.1")) flag++; if (ubuntu_check(osver:"5.04", pkgname:"exim4-config", pkgver:"4.34-10ubuntu0.1")) flag++; if (ubuntu_check(osver:"5.04", pkgname:"exim4-daemon-heavy", pkgver:"4.34-10ubuntu0.1")) flag++; if (ubuntu_check(osver:"5.04", pkgname:"exim4-daemon-light", pkgver:"4.34-10ubuntu0.1")) flag++; if (ubuntu_check(osver:"5.04", pkgname:"eximon4", pkgver:"4.34-10ubuntu0.1")) flag++; if (ubuntu_check(osver:"5.04", pkgname:"postfix", pkgver:"2.1.5-9ubuntu3.1")) flag++; if (ubuntu_check(osver:"5.04", pkgname:"postfix-dev", pkgver:"2.1.5-9ubuntu3.1")) flag++; if (ubuntu_check(osver:"5.04", pkgname:"postfix-doc", pkgver:"2.1.5-9ubuntu3.1")) flag++; if (ubuntu_check(osver:"5.04", pkgname:"postfix-ldap", pkgver:"2.1.5-9ubuntu3.1")) flag++; if (ubuntu_check(osver:"5.04", pkgname:"postfix-mysql", pkgver:"2.1.5-9ubuntu3.1")) flag++; if (ubuntu_check(osver:"5.04", pkgname:"postfix-pcre", pkgver:"2.1.5-9ubuntu3.1")) flag++; if (ubuntu_check(osver:"5.04", pkgname:"postfix-pgsql", pkgver:"2.1.5-9ubuntu3.1")) flag++; if (ubuntu_check(osver:"5.04", pkgname:"postfix-tls", pkgver:"2.1.5-9ubuntu3.1")) flag++; if (ubuntu_check(osver:"5.10", pkgname:"dovecot", pkgver:"0.99.14-1ubuntu1.1")) flag++; if (ubuntu_check(osver:"5.10", pkgname:"dovecot-common", pkgver:"0.99.14-1ubuntu1.1")) flag++; if (ubuntu_check(osver:"5.10", pkgname:"dovecot-imapd", pkgver:"0.99.14-1ubuntu1.1")) flag++; if (ubuntu_check(osver:"5.10", pkgname:"dovecot-pop3d", pkgver:"0.99.14-1ubuntu1.1")) flag++; if (ubuntu_check(osver:"5.10", pkgname:"exim4", pkgver:"4.52-1ubuntu0.1")) flag++; if (ubuntu_check(osver:"5.10", pkgname:"exim4-base", pkgver:"4.52-1ubuntu0.1")) flag++; if (ubuntu_check(osver:"5.10", pkgname:"exim4-config", pkgver:"4.52-1ubuntu0.1")) flag++; if (ubuntu_check(osver:"5.10", pkgname:"exim4-daemon-heavy", pkgver:"4.52-1ubuntu0.1")) flag++; if (ubuntu_check(osver:"5.10", pkgname:"exim4-daemon-light", pkgver:"4.52-1ubuntu0.1")) flag++; if (ubuntu_check(osver:"5.10", pkgname:"eximon4", pkgver:"4.52-1ubuntu0.1")) flag++; if (ubuntu_check(osver:"5.10", pkgname:"postfix", pkgver:"2.2.4-1ubuntu2.1")) flag++; if (ubuntu_check(osver:"5.10", pkgname:"postfix-dev", pkgver:"2.2.4-1ubuntu2.1")) flag++; if (ubuntu_check(osver:"5.10", pkgname:"postfix-doc", pkgver:"2.2.4-1ubuntu2.1")) flag++; if (ubuntu_check(osver:"5.10", pkgname:"postfix-ldap", pkgver:"2.2.4-1ubuntu2.1")) flag++; if (ubuntu_check(osver:"5.10", pkgname:"postfix-mysql", pkgver:"2.2.4-1ubuntu2.1")) flag++; if (ubuntu_check(osver:"5.10", pkgname:"postfix-pcre", pkgver:"2.2.4-1ubuntu2.1")) flag++; if (ubuntu_check(osver:"5.10", pkgname:"postfix-pgsql", pkgver:"2.2.4-1ubuntu2.1")) flag++; if (ubuntu_check(osver:"6.06", pkgname:"dovecot-common", pkgver:"1.0.beta3-3ubuntu5.1")) flag++; if (ubuntu_check(osver:"6.06", pkgname:"dovecot-imapd", pkgver:"1.0.beta3-3ubuntu5.1")) flag++; if (ubuntu_check(osver:"6.06", pkgname:"dovecot-pop3d", pkgver:"1.0.beta3-3ubuntu5.1")) flag++; if (ubuntu_check(osver:"6.06", pkgname:"exim4", pkgver:"4.60-3ubuntu3.1")) flag++; if (ubuntu_check(osver:"6.06", pkgname:"exim4-base", pkgver:"4.60-3ubuntu3.1")) flag++; if (ubuntu_check(osver:"6.06", pkgname:"exim4-config", pkgver:"4.60-3ubuntu3.1")) flag++; if (ubuntu_check(osver:"6.06", pkgname:"exim4-daemon-heavy", pkgver:"4.60-3ubuntu3.1")) flag++; if (ubuntu_check(osver:"6.06", pkgname:"exim4-daemon-light", pkgver:"4.60-3ubuntu3.1")) flag++; if (ubuntu_check(osver:"6.06", pkgname:"eximon4", pkgver:"4.60-3ubuntu3.1")) flag++; if (ubuntu_check(osver:"6.06", pkgname:"postfix", pkgver:"2.2.10-1ubuntu0.1")) flag++; if (ubuntu_check(osver:"6.06", pkgname:"postfix-dev", pkgver:"2.2.10-1ubuntu0.1")) flag++; if (ubuntu_check(osver:"6.06", pkgname:"postfix-doc", pkgver:"2.2.10-1ubuntu0.1")) flag++; if (ubuntu_check(osver:"6.06", pkgname:"postfix-ldap", pkgver:"2.2.10-1ubuntu0.1")) flag++; if (ubuntu_check(osver:"6.06", pkgname:"postfix-mysql", pkgver:"2.2.10-1ubuntu0.1")) flag++; if (ubuntu_check(osver:"6.06", pkgname:"postfix-pcre", pkgver:"2.2.10-1ubuntu0.1")) flag++; if (ubuntu_check(osver:"6.06", pkgname:"postfix-pgsql", pkgver:"2.2.10-1ubuntu0.1")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : ubuntu_report_get() ); exit(0); } else { tested = ubuntu_pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "dovecot / dovecot-common / dovecot-imapd / dovecot-pop3d / exim4 / etc"); }
NASL family Debian Local Security Checks NASL id DEBIAN_DSA-1092.NASL description Josh Berkus and Tom Lane discovered that MySQL 4.1, a popular SQL database, incorrectly parses a string escaped with mysql_real_escape() which could lead to SQL injection. This problem does only exist in versions 4.1 and 5.0. last seen 2020-06-01 modified 2020-06-02 plugin id 22634 published 2006-10-14 reporter This script is Copyright (C) 2006-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/22634 title Debian DSA-1092-1 : mysql-dfsg-4.1 - programming error NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2006-0544.NASL description Updated mysql packages that fix multiple security flaws are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. MySQL is a multi-user, multi-threaded SQL database server. MySQL is a client/server implementation consisting of a server daemon (mysqld) and many different client programs and libraries. A flaw was found in the way the MySQL mysql_real_escape() function escaped strings when operating in a multibyte character encoding. An attacker could provide an application a carefully crafted string containing invalidly-encoded characters which may be improperly escaped, leading to the injection of malicious SQL commands. (CVE-2006-2753) An information disclosure flaw was found in the way the MySQL server processed malformed usernames. An attacker could view a small portion of server memory by supplying an anonymous login username which was not null terminated. (CVE-2006-1516) An information disclosure flaw was found in the way the MySQL server executed the COM_TABLE_DUMP command. An authenticated malicious user could send a specially crafted packet to the MySQL server which returned random unallocated memory. (CVE-2006-1517) A log file obfuscation flaw was found in the way the mysql_real_query() function creates log file entries. An attacker with the the ability to call the mysql_real_query() function against a mysql server can obfuscate the entry the server will write to the log file. However, an attacker needed to have complete control over a server in order to attempt this attack. (CVE-2006-0903) This update also fixes numerous non-security-related flaws, such as intermittent authentication failures. All users of mysql are advised to upgrade to these updated packages containing MySQL version 4.1.20, which is not vulnerable to these issues. last seen 2020-06-01 modified 2020-06-02 plugin id 22000 published 2006-07-05 reporter This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/22000 title CentOS 4 : mysql (CESA-2006:0544) NASL family SuSE Local Security Checks NASL id SUSE_MYSQL-1593.NASL description This update of mysql fixes a bug in the mysql_real_escape() function that allowed SQL command injection (CVE-2006-2753). last seen 2020-06-01 modified 2020-06-02 plugin id 27357 published 2007-10-17 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/27357 title openSUSE 10 Security Update : mysql (mysql-1593) NASL family MacOS X Local Security Checks NASL id MACOSX_10_4_9.NASL description The remote host is running a version of Mac OS X 10.4 which is older than version 10.4.9 or a version of Mac OS X 10.3 which does not have Security Update 2007-003 applied. This update contains several security fixes for the following programs : - ColorSync - CoreGraphics - Crash Reporter - CUPS - Disk Images - DS Plugins - Flash Player - GNU Tar - HFS - HID Family - ImageIO - Kernel - MySQL server - Networking - OpenSSH - Printing - QuickDraw Manager - servermgrd - SMB File Server - Software Update - sudo - WebLog last seen 2020-06-01 modified 2020-06-02 plugin id 24811 published 2007-03-13 reporter This script is Copyright (C) 2007-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/24811 title Mac OS X < 10.4.9 Multiple Vulnerabilities (Security Update 2007-003) NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2006-097.NASL description SQL injection vulnerability in MySQL 4.1.x before 4.1.20 and 5.0.x before 5.0.22 allows context-dependent attackers to execute arbitrary SQL commands via crafted multibyte encodings in character sets such as SJIS, BIG5, and GBK, which are not properly handled when the mysql_real_escape function is used to escape the input. MySQL 4.0.18 in Corporate 3.0 and MNF 2.0 is not affected by this issue. Packages have been patched to correct this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 21669 published 2006-06-08 reporter This script is Copyright (C) 2006-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/21669 title Mandrake Linux Security Advisory : MySQL (MDKSA-2006:097) NASL family Databases NASL id MYSQL_5_1_11.NASL description The version of MySQL installed on the remote host is earlier than 4.1.20 / 5.0.22 / 5.1.11 and thus reportedly allows a remote attack to launch SQL injections by using multibyte character encodings (e.g. SJIS, BIG5, GBK) when mysql_real_escape is used. last seen 2020-06-01 modified 2020-06-02 plugin id 17806 published 2012-01-16 reporter This script is Copyright (C) 2012-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/17806 title MySQL < 4.1.20 / 5.0.22 / 5.1.11 SQL Injection NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200606-13.NASL description The remote host is affected by the vulnerability described in GLSA-200606-13 (MySQL: SQL Injection) MySQL is vulnerable to an injection flaw in mysql_real_escape() when used with multi-byte characters. Impact : Due to a flaw in the multi-byte character process, an attacker is still able to inject arbitary SQL statements into the MySQL server for execution. Workaround : There are a few workarounds available: NO_BACKSLASH_ESCAPES mode as a workaround for a bug in mysql_real_escape_string(): SET sql_mode= last seen 2020-06-01 modified 2020-06-02 plugin id 21706 published 2006-06-16 reporter This script is Copyright (C) 2006-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/21706 title GLSA-200606-13 : MySQL: SQL Injection NASL family Slackware Local Security Checks NASL id SLACKWARE_SSA_2006-155-01.NASL description New mysql packages are available for Slackware 9.1, 10.0, 10.1, 10.2 and -current to fix security issues. The MySQL packages shipped with Slackware 9.1, 10.0, and 10.1 may possibly leak sensitive information found in uninitialized memory to authenticated users. This is fixed in the new packages, and was already patched in Slackware 10.2 and -current. Since the vulnerabilities require a valid login and/or access to the database server, the risk is moderate. Slackware does not provide network access to a MySQL database by default. last seen 2020-06-01 modified 2020-06-02 plugin id 21639 published 2006-06-05 reporter This script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/21639 title Slackware 10.0 / 10.1 / 10.2 / 9.1 / current : mysql (SSA:2006-155-01) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-303-1.NASL description A SQL injection vulnerability has been discovered when using less popular multibyte encodings (such as SJIS, or BIG5) which contain valid multibyte characters that end with the byte 0x5c (the representation of the backslash character >>\<< in ASCII). Many client libraries and applications use the non-standard, but popular way of escaping the >> last seen 2020-06-01 modified 2020-06-02 plugin id 27878 published 2007-11-10 reporter Ubuntu Security Notice (C) 2007-2019 Canonical, Inc. / NASL script (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/27878 title Ubuntu 5.10 / 6.06 LTS : mysql-dfsg-4.1, mysql-dfsg-5.0 vulnerability (USN-303-1)
Oval
accepted | 2013-04-29T04:04:31.171-04:00 | ||||||||||||
class | vulnerability | ||||||||||||
contributors |
| ||||||||||||
definition_extensions |
| ||||||||||||
description | SQL injection vulnerability in MySQL 4.1.x before 4.1.20 and 5.0.x before 5.0.22 allows context-dependent attackers to execute arbitrary SQL commands via crafted multibyte encodings in character sets such as SJIS, BIG5, and GBK, which are not properly handled when the mysql_real_escape function is used to escape the input. | ||||||||||||
family | unix | ||||||||||||
id | oval:org.mitre.oval:def:10312 | ||||||||||||
status | accepted | ||||||||||||
submitted | 2010-07-09T03:56:16-04:00 | ||||||||||||
title | SQL injection vulnerability in MySQL 4.1.x before 4.1.20 and 5.0.x before 5.0.22 allows context-dependent attackers to execute arbitrary SQL commands via crafted multibyte encodings in character sets such as SJIS, BIG5, and GBK, which are not properly handled when the mysql_real_escape function is used to escape the input. | ||||||||||||
version | 26 |
Redhat
advisories |
| ||||
rpms |
|
References
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=369735
- http://docs.info.apple.com/article.html?artnum=305214
- http://lists.apple.com/archives/security-announce/2007/Mar/msg00002.html
- http://lists.mysql.com/announce/364
- http://secunia.com/advisories/20365
- http://secunia.com/advisories/20489
- http://secunia.com/advisories/20531
- http://secunia.com/advisories/20541
- http://secunia.com/advisories/20562
- http://secunia.com/advisories/20625
- http://secunia.com/advisories/20712
- http://secunia.com/advisories/24479
- http://securitytracker.com/id?1016216
- http://www.debian.org/security/2006/dsa-1092
- http://www.gentoo.org/security/en/glsa/glsa-200606-13.xml
- http://www.mandriva.com/security/advisories?name=MDKSA-2006:097
- http://www.redhat.com/support/errata/RHSA-2006-0544.html
- http://www.securityfocus.com/bid/18219
- http://www.trustix.org/errata/2006/0034/
- http://www.ubuntu.com/usn/usn-288-3
- http://www.us-cert.gov/cas/techalerts/TA07-072A.html
- http://www.vupen.com/english/advisories/2006/2105
- http://www.vupen.com/english/advisories/2007/0930
- https://exchange.xforce.ibmcloud.com/vulnerabilities/26875
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10312
- https://usn.ubuntu.com/303-1/