Vulnerabilities > CVE-2007-5970 - Remote Security vulnerability in MySQL

047910
CVSS 5.8 - MEDIUM
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
NONE
network
oracle
nessus

Summary

MySQL 5.1.x before 5.1.23 and 6.0.x before 6.0.4 allows remote authenticated users to gain privileges on arbitrary tables via unspecified vectors involving use of table-level DATA DIRECTORY and INDEX DIRECTORY options when creating a partitioned table with the same name as a table on which the user lacks privileges.

Nessus

NASL familyDatabases
NASL idMYSQL_5_1_23.NASL
descriptionThe version of MySQL Server installed on the remote host reportedly is affected by the following issues : - It is possible, by creating a partitioned table using the DATA DIRECTORY and INDEX DIRECTORY options, to gain privileges on other tables having the same name as the partitioned table. (Bug #32091) - Using RENAME TABLE against a table with explicit DATA DIRECTORY and INDEX DIRECTORY options can be used to overwrite system table information. (Bug #32111). - ALTER VIEW retains the original DEFINER value, even when altered by another user, which can allow that user to gain the access rights of the view. (Bug #29908) - When using a FEDERATED table, the local server can be forced to crash if the remote server returns a result with fewer columns than expected. (Bug #29801)
last seen2020-06-01
modified2020-06-02
plugin id29345
published2007-12-13
reporterThis script is Copyright (C) 2007-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
sourcehttps://www.tenable.com/plugins/nessus/29345
titleMySQL Community Server < 5.1.23 / 6.0.4 Multiple Vulnerabilities
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(29345);
  script_version("1.18");
  script_cvs_date("Date: 2018/11/15 20:50:21");

  script_cve_id("CVE-2007-5969", "CVE-2007-5970", "CVE-2007-6303", "CVE-2007-6304", "CVE-2007-5925");
  script_bugtraq_id(26765, 26832);

  script_name(english:"MySQL Community Server < 5.1.23 / 6.0.4 Multiple Vulnerabilities");
  script_summary(english:"Checks version of MySQL Server");

  script_set_attribute(attribute:"synopsis", value:
"The remote database server is affected by several issues.");
  script_set_attribute(attribute:"description", value:
"The version of MySQL Server installed on the remote host reportedly is
affected by the following issues :

  - It is possible, by creating a partitioned table using 
    the DATA DIRECTORY and INDEX DIRECTORY options, to gain 
    privileges on other tables having the same name as the 
    partitioned table. (Bug #32091)

  - Using RENAME TABLE against a table with explicit DATA
    DIRECTORY and INDEX DIRECTORY options can be used to
    overwrite system table information. (Bug #32111).

  - ALTER VIEW retains the original DEFINER value, even 
    when altered by another user, which can allow that 
    user to gain the access rights of the view. (Bug
    #29908)

  - When using a FEDERATED table, the local server can be 
    forced to crash if the remote server returns a result 
    with fewer columns than expected. (Bug #29801)");
  script_set_attribute(attribute:"see_also", value:"https://bugs.mysql.com/bug.php?id=32091");
  script_set_attribute(attribute:"see_also", value:"https://bugs.mysql.com/bug.php?id=32111");
  script_set_attribute(attribute:"see_also", value:"https://bugs.mysql.com/bug.php?id=29908");
  script_set_attribute(attribute:"see_also", value:"https://bugs.mysql.com/bug.php?id=29801");
  script_set_attribute(attribute:"see_also", value:"http://dev.mysql.com/doc/refman/5.1/en/news-5-1-23.html");
  # http://web.archive.org/web/20090621041615/http://dev.mysql.com/doc/refman/6.0/en/news-6-0-4.html
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?0e513c99");
  script_set_attribute(attribute:"solution", value:
"Upgrade to MySQL Community Server version 5.1.23 / 6.0.4 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:S/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_cwe_id(20, 264);

  script_set_attribute(attribute:"plugin_publication_date", value:"2007/12/13");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:mysql:mysql");
  script_end_attributes();
 
  script_category(ACT_GATHER_INFO);
  script_family(english:"Databases");

  script_copyright(english:"This script is Copyright (C) 2007-2018 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("mysql_version.nasl", "mysql_login.nasl");
  script_require_ports("Services/mysql", 3306);
  script_require_keys("Settings/ParanoidReport");

  exit(0);
}


include("global_settings.inc");
include("misc_func.inc");
include("mysql_func.inc");


# nb: banner checks of open source software are prone to false-
#     positives so only run the check if reporting is paranoid.
if (report_paranoia < 2)
  exit(1, "This plugin only runs if 'Report paranoia' is set to 'Paranoid'.");

port = get_service(svc:"mysql", default:3306, exit_on_fail:TRUE);

if (mysql_init(port:port, exit_on_fail:TRUE) == 1)
{
  variant = mysql_get_variant();
  ver = mysql_get_version();

  if (
    "Community" >< variant && 
    ver =~ "^(5\.1\.([0-9]|1[0-9]|2[0-2])|6\.0\.[0-3])($|[^0-9])"
  )
  {
    report =
      '\nThe remote MySQL '+variant+'\'s version is :\n'+
      '\n  '+ver+'\n';
    datadir = get_kb_item('mysql/' + port + '/datadir');
    if (!empty_or_null(datadir))
    {
      report += '  Data Dir          : ' + datadir + '\n';
    }
    databases = get_kb_item('mysql/' + port + '/databases');
    if (!empty_or_null(databases))
    { 
      report += '  Databases         :\n' + databases;
    }
    security_warning(port:port, extra:report);
  }
}
mysql_close();

Statements

contributorMark J Cox
lastmodified2008-01-09
organizationRed Hat
statementNot vulnerable. This issue did not affect the mysql packages as shipped in Red Hat Enterprise Linux 2.1, 3, 4, 5, Red Hat Application Stack v1, and v2, as the versions shipped do not support table partitioning. The partitioning feature was introduced in development MySQL version 5.1.