MySQL command-line client HTML injection vulnerability

2008-09-30 / 2008-10-01
Risk: Medium
Local: No
Remote: Yes

CVSS Base Score: 2.6/10
Impact Subscore: 2.9/10
Exploitability Subscore: 4.9/10
Exploit range: Remote
Attack complexity: High
Authentication: No required
Confidentiality impact: None
Integrity impact: Partial
Availability impact: None

MYSQL COMMAND-LINE CLIENT HTML INJECTION VULNERABILITY Thomas Henlich <thomas_at_henlich&#46;de> DESCRIPTION The mysql command-line client does not quote HTML special characters like < in its output. This allows an attacker who is able to write data into a table to hide or modify records in the output, and to inject potentially dangerous code, e. g. Javascript to perform cross-site scripting or cross-site request forgery attacks. HOW TO REPRODUCE $ mysql --html --execute "select '<a>'" ... <TABLE BORDER=1><TR><TH><a></TH></TR><TR><TD><a></TD></TR></TABLE> AFFECTED VERSIONS All. RESOLUTION Users are advised to install the available patch from WORKAROUND If another resolution is not feasible, users are advised to modify their SELECT statements to filter out the characters < and &: SELECT REPLACE(REPLACE(...,'&','&amp;'),'<','<') AS ...; This workaround is incompatible with the described resolution and should be reversed after installation of the patch. TIMELINE 2007-04-17 Opened bug on 2008-05-01 Patch available RESOURCES The bug is filed on This advisory is available from


Vote for this issue:


Thanks for you vote!


Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024,


Back to Top