MySQL command-line client HTML injection vulnerability

2008-09-30 / 2008-10-01
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-79


CVSS Base Score: 2.6/10
Impact Subscore: 2.9/10
Exploitability Subscore: 4.9/10
Exploit range: Remote
Attack complexity: High
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

MYSQL COMMAND-LINE CLIENT HTML INJECTION VULNERABILITY Thomas Henlich <thomas_at_henlich&#46;de> DESCRIPTION The mysql command-line client does not quote HTML special characters like < in its output. This allows an attacker who is able to write data into a table to hide or modify records in the output, and to inject potentially dangerous code, e. g. Javascript to perform cross-site scripting or cross-site request forgery attacks. HOW TO REPRODUCE $ mysql --html --execute "select '<a>'" ... <TABLE BORDER=1><TR><TH><a></TH></TR><TR><TD><a></TD></TR></TABLE> AFFECTED VERSIONS All. RESOLUTION Users are advised to install the available patch from http://bugs.mysql.com/bug.php?id=27884. WORKAROUND If another resolution is not feasible, users are advised to modify their SELECT statements to filter out the characters < and &: SELECT REPLACE(REPLACE(...,'&','&amp;'),'<','<') AS ...; This workaround is incompatible with the described resolution and should be reversed after installation of the patch. TIMELINE 2007-04-17 Opened bug on mysql.com 2008-05-01 Patch available RESOURCES The bug is filed on http://bugs.mysql.com/bug.php?id=27884. This advisory is available from http://www.henlich.de/it-security/mysql-command-line-client-html-injection-vulnerability.

References:

http://www.securityfocus.com/archive/1/archive/1/496877/100/0/threaded
http://www.securityfocus.com/archive/1/archive/1/496842/100/0/threaded
http://www.henlich.de/it-security/mysql-command-line-client-html-injection-vulnerability
http://secunia.com/advisories/32072
http://bugs.mysql.com/bug.php?id=27884


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2017, cxsecurity.com

 

Back to Top