ID CVE-2006-0903
Summary MySQL 5.0.18 and earlier allows local users to bypass logging mechanisms via SQL queries that contain the NULL character, which are not properly handled by the mysql_real_query function. NOTE: this issue was originally reported for the mysql_query function, but the vendor states that since mysql_query expects a null character, this is not an issue for mysql_query.
References
Vulnerable Configurations
  • MySQL MySQL 3.23
    cpe:2.3:a:mysql:mysql:3.23
  • MySQL MySQL 3.23.0 alpha
    cpe:2.3:a:mysql:mysql:3.23.0:alpha
  • MySQL MySQL 3.23.1
    cpe:2.3:a:mysql:mysql:3.23.1
  • MySQL MySQL 3.23.2
    cpe:2.3:a:mysql:mysql:3.23.2
  • MySQL MySQL 3.23.3
    cpe:2.3:a:mysql:mysql:3.23.3
  • MySQL MySQL 3.23.4
    cpe:2.3:a:mysql:mysql:3.23.4
  • MySQL MySQL 3.23.5
    cpe:2.3:a:mysql:mysql:3.23.5
  • MySQL MySQL 3.23.6
    cpe:2.3:a:mysql:mysql:3.23.6
  • MySQL MySQL 3.23.7
    cpe:2.3:a:mysql:mysql:3.23.7
  • MySQL MySQL 3.23.8
    cpe:2.3:a:mysql:mysql:3.23.8
  • MySQL MySQL 3.23.9
    cpe:2.3:a:mysql:mysql:3.23.9
  • MySQL MySQL 3.23.10
    cpe:2.3:a:mysql:mysql:3.23.10
  • MySQL MySQL 3.23.11
    cpe:2.3:a:mysql:mysql:3.23.11
  • MySQL MySQL 3.23.12
    cpe:2.3:a:mysql:mysql:3.23.12
  • MySQL MySQL 3.23.13
    cpe:2.3:a:mysql:mysql:3.23.13
  • MySQL MySQL 3.23.14
    cpe:2.3:a:mysql:mysql:3.23.14
  • MySQL MySQL 3.23.15
    cpe:2.3:a:mysql:mysql:3.23.15
  • MySQL MySQL 3.23.16
    cpe:2.3:a:mysql:mysql:3.23.16
  • MySQL MySQL 3.23.17
    cpe:2.3:a:mysql:mysql:3.23.17
  • MySQL MySQL 3.23.18
    cpe:2.3:a:mysql:mysql:3.23.18
  • MySQL MySQL 3.23.19
    cpe:2.3:a:mysql:mysql:3.23.19
  • MySQL MySQL 3.23.20 Beta
    cpe:2.3:a:mysql:mysql:3.23.20:beta
  • MySQL MySQL 3.23.21
    cpe:2.3:a:mysql:mysql:3.23.21
  • MySQL MySQL 3.23.22
    cpe:2.3:a:mysql:mysql:3.23.22
  • MySQL MySQL 3.23.23
    cpe:2.3:a:mysql:mysql:3.23.23
  • MySQL MySQL 3.23.24
    cpe:2.3:a:mysql:mysql:3.23.24
  • MySQL MySQL 3.23.25
    cpe:2.3:a:mysql:mysql:3.23.25
  • MySQL MySQL 3.23.26
    cpe:2.3:a:mysql:mysql:3.23.26
  • MySQL MySQL 3.23.27
    cpe:2.3:a:mysql:mysql:3.23.27
  • MySQL MySQL 3.23.28 gamma
    cpe:2.3:a:mysql:mysql:3.23.28:gamma
  • MySQL MySQL 3.23.29
    cpe:2.3:a:mysql:mysql:3.23.29
  • MySQL MySQL 3.23.30
    cpe:2.3:a:mysql:mysql:3.23.30
  • MySQL MySQL 3.23.31
    cpe:2.3:a:mysql:mysql:3.23.31
  • MySQL MySQL 3.23.32
    cpe:2.3:a:mysql:mysql:3.23.32
  • MySQL MySQL 3.23.33
    cpe:2.3:a:mysql:mysql:3.23.33
  • MySQL MySQL 3.23.34
    cpe:2.3:a:mysql:mysql:3.23.34
  • MySQL MySQL 3.23.35
    cpe:2.3:a:mysql:mysql:3.23.35
  • MySQL MySQL 3.23.36
    cpe:2.3:a:mysql:mysql:3.23.36
  • MySQL MySQL 3.23.37
    cpe:2.3:a:mysql:mysql:3.23.37
  • MySQL MySQL 3.23.38
    cpe:2.3:a:mysql:mysql:3.23.38
  • MySQL MySQL 3.23.39
    cpe:2.3:a:mysql:mysql:3.23.39
  • MySQL MySQL 3.23.40
    cpe:2.3:a:mysql:mysql:3.23.40
  • MySQL MySQL 3.23.41
    cpe:2.3:a:mysql:mysql:3.23.41
  • MySQL MySQL 3.23.42
    cpe:2.3:a:mysql:mysql:3.23.42
  • MySQL MySQL 3.23.43
    cpe:2.3:a:mysql:mysql:3.23.43
  • MySQL MySQL 3.23.44
    cpe:2.3:a:mysql:mysql:3.23.44
  • MySQL MySQL 3.23.45
    cpe:2.3:a:mysql:mysql:3.23.45
  • MySQL MySQL 3.23.46
    cpe:2.3:a:mysql:mysql:3.23.46
  • MySQL MySQL 3.23.47
    cpe:2.3:a:mysql:mysql:3.23.47
  • MySQL MySQL 3.23.48
    cpe:2.3:a:mysql:mysql:3.23.48
  • MySQL MySQL 3.23.49
    cpe:2.3:a:mysql:mysql:3.23.49
  • MySQL MySQL 3.23.50
    cpe:2.3:a:mysql:mysql:3.23.50
  • MySQL MySQL 3.23.51
    cpe:2.3:a:mysql:mysql:3.23.51
  • MySQL MySQL 3.23.52
    cpe:2.3:a:mysql:mysql:3.23.52
  • MySQL MySQL 3.23.53
    cpe:2.3:a:mysql:mysql:3.23.53
  • MySQL MySQL 3.23.54
    cpe:2.3:a:mysql:mysql:3.23.54
  • MySQL MySQL 3.23.55
    cpe:2.3:a:mysql:mysql:3.23.55
  • MySQL MySQL 3.23.56
    cpe:2.3:a:mysql:mysql:3.23.56
  • MySQL MySQL 3.23.57
    cpe:2.3:a:mysql:mysql:3.23.57
  • MySQL MySQL 3.23.58
    cpe:2.3:a:mysql:mysql:3.23.58
  • MySQL MySQL 3.23.59
    cpe:2.3:a:mysql:mysql:3.23.59
  • MySQL MySQL 4.0.0
    cpe:2.3:a:mysql:mysql:4.0.0
  • MySQL MySQL 4.0.1
    cpe:2.3:a:mysql:mysql:4.0.1
  • MySQL MySQL 4.0.2
    cpe:2.3:a:mysql:mysql:4.0.2
  • MySQL MySQL 4.0.3
    cpe:2.3:a:mysql:mysql:4.0.3
  • MySQL MySQL 4.0.4
    cpe:2.3:a:mysql:mysql:4.0.4
  • MySQL MySQL 4.0.5
    cpe:2.3:a:mysql:mysql:4.0.5
  • MySQL MySQL 4.0.5a
    cpe:2.3:a:mysql:mysql:4.0.5a
  • MySQL MySQL 4.0.6
    cpe:2.3:a:mysql:mysql:4.0.6
  • MySQL MySQL 4.0.7
    cpe:2.3:a:mysql:mysql:4.0.7
  • MySQL MySQL 4.0.7 gamma
    cpe:2.3:a:mysql:mysql:4.0.7:gamma
  • MySQL MySQL 4.0.8
    cpe:2.3:a:mysql:mysql:4.0.8
  • MySQL MySQL 4.0.8 gamma
    cpe:2.3:a:mysql:mysql:4.0.8:gamma
  • MySQL MySQL 4.0.9
    cpe:2.3:a:mysql:mysql:4.0.9
  • MySQL MySQL 4.0.9 gamma
    cpe:2.3:a:mysql:mysql:4.0.9:gamma
  • MySQL MySQL 4.0.10
    cpe:2.3:a:mysql:mysql:4.0.10
  • MySQL MySQL 4.0.11
    cpe:2.3:a:mysql:mysql:4.0.11
  • MySQL MySQL 4.0.11 gamma
    cpe:2.3:a:mysql:mysql:4.0.11:gamma
  • MySQL MySQL 4.0.12
    cpe:2.3:a:mysql:mysql:4.0.12
  • MySQL MySQL 4.0.13
    cpe:2.3:a:mysql:mysql:4.0.13
  • MySQL MySQL 4.0.14
    cpe:2.3:a:mysql:mysql:4.0.14
  • MySQL MySQL 4.0.15
    cpe:2.3:a:mysql:mysql:4.0.15
  • MySQL MySQL 4.0.16
    cpe:2.3:a:mysql:mysql:4.0.16
  • MySQL MySQL 4.0.17
    cpe:2.3:a:mysql:mysql:4.0.17
  • MySQL MySQL 4.0.18
    cpe:2.3:a:mysql:mysql:4.0.18
  • MySQL MySQL 4.0.19
    cpe:2.3:a:mysql:mysql:4.0.19
  • MySQL MySQL 4.0.20
    cpe:2.3:a:mysql:mysql:4.0.20
  • MySQL MySQL 4.0.21
    cpe:2.3:a:mysql:mysql:4.0.21
  • MySQL MySQL 4.0.23
    cpe:2.3:a:mysql:mysql:4.0.23
  • MySQL MySQL 4.0.24
    cpe:2.3:a:mysql:mysql:4.0.24
  • MySQL MySQL 4.0.25
    cpe:2.3:a:mysql:mysql:4.0.25
  • MySQL MySQL 4.0.26
    cpe:2.3:a:mysql:mysql:4.0.26
  • MySQL MySQL 4.0.27
    cpe:2.3:a:mysql:mysql:4.0.27
  • MySQL MySQL 4.1.0 alpha
    cpe:2.3:a:mysql:mysql:4.1.0:alpha
  • MySQL MySQL 4.1.0.0
    cpe:2.3:a:mysql:mysql:4.1.0.0
  • MySQL MySQL 4.1.2 alpha
    cpe:2.3:a:mysql:mysql:4.1.2:alpha
  • MySQL MySQL 4.1.3
    cpe:2.3:a:mysql:mysql:4.1.3
  • MySQL MySQL 4.1.3 beta
    cpe:2.3:a:mysql:mysql:4.1.3:beta
  • MySQL MySQL 4.1.4
    cpe:2.3:a:mysql:mysql:4.1.4
  • MySQL MySQL 4.1.5
    cpe:2.3:a:mysql:mysql:4.1.5
  • MySQL MySQL 4.1.6
    cpe:2.3:a:mysql:mysql:4.1.6
  • MySQL MySQL 4.1.7
    cpe:2.3:a:mysql:mysql:4.1.7
  • MySQL MySQL 4.1.8
    cpe:2.3:a:mysql:mysql:4.1.8
  • MySQL MySQL 4.1.9
    cpe:2.3:a:mysql:mysql:4.1.9
  • MySQL MySQL 4.1.10
    cpe:2.3:a:mysql:mysql:4.1.10
  • MySQL MySQL 4.1.11
    cpe:2.3:a:mysql:mysql:4.1.11
  • MySQL MySQL 4.1.12
    cpe:2.3:a:mysql:mysql:4.1.12
  • MySQL MySQL 4.1.13
    cpe:2.3:a:mysql:mysql:4.1.13
  • MySQL MySQL 4.1.14
    cpe:2.3:a:mysql:mysql:4.1.14
  • MySQL MySQL 4.1.15
    cpe:2.3:a:mysql:mysql:4.1.15
  • MySQL MySQL 4.1.16
    cpe:2.3:a:mysql:mysql:4.1.16
  • MySQL MySQL 4.1.17
    cpe:2.3:a:mysql:mysql:4.1.17
  • MySQL MySQL 4.1.18
    cpe:2.3:a:mysql:mysql:4.1.18
  • MySQL MySQL 4.1.19
    cpe:2.3:a:mysql:mysql:4.1.19
  • MySQL MySQL 5.0.0 alpha
    cpe:2.3:a:mysql:mysql:5.0.0:alpha
  • MySQL MySQL 5.0.1
    cpe:2.3:a:mysql:mysql:5.0.1
  • MySQL MySQL 5.0.2
    cpe:2.3:a:mysql:mysql:5.0.2
  • MySQL MySQL 5.0.3 Beta
    cpe:2.3:a:mysql:mysql:5.0.3:beta
  • MySQL MySQL 5.0.4
    cpe:2.3:a:mysql:mysql:5.0.4
  • MySQL MySQL 5.0.5
    cpe:2.3:a:mysql:mysql:5.0.5
  • MySQL MySQL 5.0.6
    cpe:2.3:a:mysql:mysql:5.0.6
  • MySQL MySQL 5.0.7
    cpe:2.3:a:mysql:mysql:5.0.7
  • MySQL MySQL 5.0.8
    cpe:2.3:a:mysql:mysql:5.0.8
  • MySQL MySQL 5.0.9
    cpe:2.3:a:mysql:mysql:5.0.9
  • MySQL MySQL 5.0.10
    cpe:2.3:a:mysql:mysql:5.0.10
  • MySQL MySQL 5.0.11
    cpe:2.3:a:mysql:mysql:5.0.11
  • MySQL MySQL 5.0.12
    cpe:2.3:a:mysql:mysql:5.0.12
  • MySQL MySQL 5.0.13
    cpe:2.3:a:mysql:mysql:5.0.13
  • MySQL MySQL 5.0.14
    cpe:2.3:a:mysql:mysql:5.0.14
  • MySQL MySQL 5.0.15
    cpe:2.3:a:mysql:mysql:5.0.15
  • MySQL MySQL 5.0.16
    cpe:2.3:a:mysql:mysql:5.0.16
  • MySQL MySQL 5.0.17
    cpe:2.3:a:mysql:mysql:5.0.17
  • MySQL MySQL 5.0.18
    cpe:2.3:a:mysql:mysql:5.0.18
CVSS
Base: 4.6 (as of 28-02-2006 - 14:02)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
LOCAL LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
exploit-db via4
description MySQL 5.0.18 Query Logging Bypass Vulnerability. CVE-2006-0903. Remote exploit for linux platform
id EDB-ID:27326
last seen 2016-02-03
modified 2006-02-27
published 2006-02-27
reporter 1dt.w0lf
source https://www.exploit-db.com/download/27326/
title MySQL 5.0.18 Query Logging Bypass Vulnerability
nessus via4
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-274-1.NASL
    description A logging bypass was discovered in the MySQL query parser. A local attacker could exploit this by inserting NUL characters into query strings (even into comments), which would cause the query to be logged incompletely. This only affects you if you enabled the 'log' parameter in the MySQL configuration. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-08-15
    plugin id 21300
    published 2006-04-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=21300
    title Ubuntu 4.10 / 5.04 / 5.10 : mysql-dfsg vulnerability (USN-274-1)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRAKE_MDKSA-2006-064.NASL
    description MySQL allows local users to bypass logging mechanisms via SQL queries that contain the NULL character, which are not properly handled by the mysql_real_query function. Updated packages have been patched to correct this issue.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 21179
    published 2006-04-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=21179
    title Mandrake Linux Security Advisory : MySQL (MDKSA-2006:064)
  • NASL family Databases
    NASL id MYSQL_5_0_22.NASL
    description The version of MySQL installed on the remote host is earlier than 5.0.22 / 5.1.10 and thus reportedly allows a local user to bypass authentication by sending a SQL query that contains a NULL character.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 17801
    published 2012-01-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=17801
    title MySQL < 5.0.22 / 5.1.10 Authentication Bypass
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-1079.NASL
    description Several vulnerabilities have been discovered in MySQL, a popular SQL database. The Common Vulnerabilities and Exposures Project identifies the following problems : - CVE-2006-0903 Improper handling of SQL queries containing the NULL character allows local users to bypass logging mechanisms. - CVE-2006-1516 Usernames without a trailing null byte allow remote attackers to read portions of memory. - CVE-2006-1517 A request with an incorrect packet length allows remote attackers to obtain sensitive information. - CVE-2006-1518 Specially crafted request packets with invalid length values allow the execution of arbitrary code. The following vulnerability matrix shows which version of MySQL in which distribution has this problem fixed : woody sarge sid mysql 3.23.49-8.15 n/a n/a mysql-dfsg n/a 4.0.24-10sarge2 n/a mysql-dfsg-4.1 n/a 4.1.11a-4sarge3 n/a mysql-dfsg-5.0 n/a n/a 5.0.21-3
    last seen 2019-02-21
    modified 2018-07-20
    plugin id 22621
    published 2006-10-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=22621
    title Debian DSA-1079-1 : mysql-dfsg - several vulnerabilities
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2006-0544.NASL
    description Updated mysql packages that fix multiple security flaws are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. MySQL is a multi-user, multi-threaded SQL database server. MySQL is a client/server implementation consisting of a server daemon (mysqld) and many different client programs and libraries. A flaw was found in the way the MySQL mysql_real_escape() function escaped strings when operating in a multibyte character encoding. An attacker could provide an application a carefully crafted string containing invalidly-encoded characters which may be improperly escaped, leading to the injection of malicious SQL commands. (CVE-2006-2753) An information disclosure flaw was found in the way the MySQL server processed malformed usernames. An attacker could view a small portion of server memory by supplying an anonymous login username which was not null terminated. (CVE-2006-1516) An information disclosure flaw was found in the way the MySQL server executed the COM_TABLE_DUMP command. An authenticated malicious user could send a specially crafted packet to the MySQL server which returned random unallocated memory. (CVE-2006-1517) A log file obfuscation flaw was found in the way the mysql_real_query() function creates log file entries. An attacker with the the ability to call the mysql_real_query() function against a mysql server can obfuscate the entry the server will write to the log file. However, an attacker needed to have complete control over a server in order to attempt this attack. (CVE-2006-0903) This update also fixes numerous non-security-related flaws, such as intermittent authentication failures. All users of mysql are advised to upgrade to these updated packages containing MySQL version 4.1.20, which is not vulnerable to these issues.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 22000
    published 2006-07-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=22000
    title CentOS 4 : mysql (CESA-2006:0544)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20080521_MYSQL_ON_SL5_X.NASL
    description MySQL did not require privileges such as 'SELECT' for the source table in a 'CREATE TABLE LIKE' statement. An authenticated user could obtain sensitive information, such as the table structure. (CVE-2007-3781) A flaw was discovered in MySQL that allowed an authenticated user to gain update privileges for a table in another database, via a view that refers to the external table. (CVE-2007-3782) MySQL did not require the 'DROP' privilege for 'RENAME TABLE' statements. An authenticated user could use this flaw to rename arbitrary tables. (CVE-2007-2691) A flaw was discovered in the mysql_change_db function when returning from SQL SECURITY INVOKER stored routines. An authenticated user could use this flaw to gain database privileges. (CVE-2007-2692) MySQL allowed an authenticated user to bypass logging mechanisms via SQL queries that contain the NULL character, which were not properly handled by the mysql_real_query function. (CVE-2006-0903) MySQL allowed an authenticated user to access a table through a previously created MERGE table, even after the user's privileges were revoked from the original table, which might violate intended security policy. This is addressed by allowing the MERGE storage engine to be disabled, which can be done by running mysqld with the '--skip-merge' option. (CVE-2006-4031) MySQL evaluated arguments in the wrong security context, which allowed an authenticated user to gain privileges through a routine that had been made available using 'GRANT EXECUTE'. (CVE-2006-4227) Multiple flaws in MySQL allowed an authenticated user to cause the MySQL daemon to crash via crafted SQL queries. This only caused a temporary denial of service, as the MySQL daemon is automatically restarted after the crash. (CVE-2006-7232, CVE-2007-1420, CVE-2007-2583) As well, these updated packages fix the following bugs : - a separate counter was used for 'insert delayed' statements, which caused rows to be discarded. In these updated packages, 'insert delayed' statements no longer use a separate counter, which resolves this issue. - due to a bug in the Native POSIX Thread Library, in certain situations, 'flush tables' caused a deadlock on tables that had a read lock. The mysqld daemon had to be killed forcefully. Now, 'COND_refresh' has been replaced with 'COND_global_read_lock', which resolves this issue. - mysqld crashed if a query for an unsigned column type contained a negative value for a 'WHERE [column] NOT IN' subquery. - in master and slave server situations, specifying 'on duplicate key update' for 'insert' statements did not update slave servers. - in the mysql client, empty strings were displayed as 'NULL'. For example, running 'insert into [table-name] values (' ');' resulted in a 'NULL' entry being displayed when querying the table using 'select * from [table-name];'. - a bug in the optimizer code resulted in certain queries executing much slower than expected. - on 64-bit PowerPC architectures, MySQL did not calculate the thread stack size correctly, which could have caused MySQL to crash when overly-complex queries were used. Note: these updated packages upgrade MySQL to version 5.0.45. For a full list of bug fixes and enhancements, refer to the MySQL release notes: http://dev.mysql.com/doc/refman/5.0/en/releasenotes-cs-5-0.html
    last seen 2019-02-21
    modified 2019-01-07
    plugin id 60406
    published 2012-08-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=60406
    title Scientific Linux Security Update : mysql on SL5.x i386/x86_64
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-1073.NASL
    description Several vulnerabilities have been discovered in MySQL, a popular SQL database. The Common Vulnerabilities and Exposures Project identifies the following problems : - CVE-2006-0903 Improper handling of SQL queries containing the NULL character allows local users to bypass logging mechanisms. - CVE-2006-1516 Usernames without a trailing null byte allow remote attackers to read portions of memory. - CVE-2006-1517 A request with an incorrect packet length allows remote attackers to obtain sensitive information. - CVE-2006-1518 Specially crafted request packets with invalid length values allow the execution of arbitrary code. The following vulnerability matrix shows which version of MySQL in which distribution has this problem fixed : woody sarge sid mysql 3.23.49-8.15 n/a n/a mysql-dfsg n/a 4.0.24-10sarge2 n/a mysql-dfsg-4.1 n/a 4.1.11a-4sarge3 n/a mysql-dfsg-5.0 n/a n/a 5.0.21-3
    last seen 2019-02-21
    modified 2018-07-20
    plugin id 22615
    published 2006-10-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=22615
    title Debian DSA-1073-1 : mysql-dfsg-4.1 - several vulnerabilities
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2008-0364.NASL
    description Updated mysql packages that fix various security issues and several bugs are now available for Red Hat Enterprise Linux 5. This update has been rated as having low security impact by the Red Hat Security Response Team. MySQL is a multi-user, multi-threaded SQL database server. MySQL is a client/server implementation consisting of a server daemon (mysqld), and many different client programs and libraries. MySQL did not require privileges such as 'SELECT' for the source table in a 'CREATE TABLE LIKE' statement. An authenticated user could obtain sensitive information, such as the table structure. (CVE-2007-3781) A flaw was discovered in MySQL that allowed an authenticated user to gain update privileges for a table in another database, via a view that refers to the external table. (CVE-2007-3782) MySQL did not require the 'DROP' privilege for 'RENAME TABLE' statements. An authenticated user could use this flaw to rename arbitrary tables. (CVE-2007-2691) A flaw was discovered in the mysql_change_db function when returning from SQL SECURITY INVOKER stored routines. An authenticated user could use this flaw to gain database privileges. (CVE-2007-2692) MySQL allowed an authenticated user to bypass logging mechanisms via SQL queries that contain the NULL character, which were not properly handled by the mysql_real_query function. (CVE-2006-0903) MySQL allowed an authenticated user to access a table through a previously created MERGE table, even after the user's privileges were revoked from the original table, which might violate intended security policy. This is addressed by allowing the MERGE storage engine to be disabled, which can be done by running mysqld with the '--skip-merge' option. (CVE-2006-4031) MySQL evaluated arguments in the wrong security context, which allowed an authenticated user to gain privileges through a routine that had been made available using 'GRANT EXECUTE'. (CVE-2006-4227) Multiple flaws in MySQL allowed an authenticated user to cause the MySQL daemon to crash via crafted SQL queries. This only caused a temporary denial of service, as the MySQL daemon is automatically restarted after the crash. (CVE-2006-7232, CVE-2007-1420, CVE-2007-2583) As well, these updated packages fix the following bugs : * a separate counter was used for 'insert delayed' statements, which caused rows to be discarded. In these updated packages, 'insert delayed' statements no longer use a separate counter, which resolves this issue. * due to a bug in the Native POSIX Thread Library, in certain situations, 'flush tables' caused a deadlock on tables that had a read lock. The mysqld daemon had to be killed forcefully. Now, 'COND_refresh' has been replaced with 'COND_global_read_lock', which resolves this issue. * mysqld crashed if a query for an unsigned column type contained a negative value for a 'WHERE [column] NOT IN' subquery. * in master and slave server situations, specifying 'on duplicate key update' for 'insert' statements did not update slave servers. * in the mysql client, empty strings were displayed as 'NULL'. For example, running 'insert into [table-name] values (' ');' resulted in a 'NULL' entry being displayed when querying the table using 'select * from [table-name];'. * a bug in the optimizer code resulted in certain queries executing much slower than expected. * on 64-bit PowerPC architectures, MySQL did not calculate the thread stack size correctly, which could have caused MySQL to crash when overly-complex queries were used. Note: these updated packages upgrade MySQL to version 5.0.45. For a full list of bug fixes and enhancements, refer to the MySQL release notes: http://dev.mysql.com/doc/refman/5.0/en/releasenotes-cs-5-0.html All mysql users are advised to upgrade to these updated packages, which resolve these issues.
    last seen 2019-02-21
    modified 2018-11-27
    plugin id 32425
    published 2008-05-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=32425
    title RHEL 5 : mysql (RHSA-2008:0364)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-274-2.NASL
    description USN-274-1 fixed a logging bypass in the MySQL server. Unfortunately it was determined that the original update was not sufficient to completely fix the vulnerability, thus another update is necessary. We apologize for the inconvenience. For reference, these are the details of the original USN : A logging bypass was discovered in the MySQL query parser. A local attacker could exploit this by inserting NUL characters into query strings (even into comments), which would cause the query to be logged incompletely. This only affects you if you enabled the 'log' parameter in the MySQL configuration. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 21568
    published 2006-05-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=21568
    title Ubuntu 5.04 / 5.10 : mysql-dfsg vulnerability (USN-274-2)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2006-0544.NASL
    description Updated mysql packages that fix multiple security flaws are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. MySQL is a multi-user, multi-threaded SQL database server. MySQL is a client/server implementation consisting of a server daemon (mysqld) and many different client programs and libraries. A flaw was found in the way the MySQL mysql_real_escape() function escaped strings when operating in a multibyte character encoding. An attacker could provide an application a carefully crafted string containing invalidly-encoded characters which may be improperly escaped, leading to the injection of malicious SQL commands. (CVE-2006-2753) An information disclosure flaw was found in the way the MySQL server processed malformed usernames. An attacker could view a small portion of server memory by supplying an anonymous login username which was not null terminated. (CVE-2006-1516) An information disclosure flaw was found in the way the MySQL server executed the COM_TABLE_DUMP command. An authenticated malicious user could send a specially crafted packet to the MySQL server which returned random unallocated memory. (CVE-2006-1517) A log file obfuscation flaw was found in the way the mysql_real_query() function creates log file entries. An attacker with the the ability to call the mysql_real_query() function against a mysql server can obfuscate the entry the server will write to the log file. However, an attacker needed to have complete control over a server in order to attempt this attack. (CVE-2006-0903) This update also fixes numerous non-security-related flaws, such as intermittent authentication failures. All users of mysql are advised to upgrade to these updated packages containing MySQL version 4.1.20, which is not vulnerable to these issues.
    last seen 2019-02-21
    modified 2018-11-27
    plugin id 21683
    published 2006-06-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=21683
    title RHEL 4 : mysql (RHSA-2006:0544)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-1071.NASL
    description Several vulnerabilities have been discovered in MySQL, a popular SQL database. The Common Vulnerabilities and Exposures Project identifies the following problems : - CVE-2006-0903 Improper handling of SQL queries containing the NULL character allows local users to bypass logging mechanisms. - CVE-2006-1516 Usernames without a trailing null byte allow remote attackers to read portions of memory. - CVE-2006-1517 A request with an incorrect packet length allows remote attackers to obtain sensitive information. - CVE-2006-1518 Specially crafted request packets with invalid length values allow the execution of arbitrary code. The following vulnerability matrix shows which version of MySQL in which distribution has this problem fixed : woody sarge sid mysql 3.23.49-8.15 n/a n/a mysql-dfsg n/a 4.0.24-10sarge2 n/a mysql-dfsg-4.1 n/a 4.1.11a-4sarge3 n/a mysql-dfsg-5.0 n/a n/a 5.0.21-3
    last seen 2019-02-21
    modified 2018-07-20
    plugin id 22613
    published 2006-10-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=22613
    title Debian DSA-1071-1 : mysql - several vulnerabilities
oval via4
accepted 2013-04-29T04:23:17.621-04:00
class vulnerability
contributors
  • name Aharon Chernin
    organization SCAP.com, LLC
  • name Dragos Prisaca
    organization G2, Inc.
definition_extensions
  • comment The operating system installed on the system is Red Hat Enterprise Linux 4
    oval oval:org.mitre.oval:def:11831
  • comment CentOS Linux 4.x
    oval oval:org.mitre.oval:def:16636
  • comment Oracle Linux 4.x
    oval oval:org.mitre.oval:def:15990
  • comment The operating system installed on the system is Red Hat Enterprise Linux 5
    oval oval:org.mitre.oval:def:11414
  • comment The operating system installed on the system is CentOS Linux 5.x
    oval oval:org.mitre.oval:def:15802
  • comment Oracle Linux 5.x
    oval oval:org.mitre.oval:def:15459
description MySQL 5.0.18 and earlier allows local users to bypass logging mechanisms via SQL queries that contain the NULL character, which are not properly handled by the mysql_real_query function. NOTE: this issue was originally reported for the mysql_query function, but the vendor states that since mysql_query expects a null character, this is not an issue for mysql_query.
family unix
id oval:org.mitre.oval:def:9915
status accepted
submitted 2010-07-09T03:56:16-04:00
title MySQL 5.0.18 and earlier allows local users to bypass logging mechanisms via SQL queries that contain the NULL character, which are not properly handled by the mysql_real_query function. NOTE: this issue was originally reported for the mysql_query function, but the vendor states that since mysql_query expects a null character, this is not an issue for mysql_query.
version 24
redhat via4
advisories
  • rhsa
    id RHSA-2006:0544
  • rhsa
    id RHSA-2007:0083
  • rhsa
    id RHSA-2008:0364
rpms
  • mysql-0:5.0.45-7.el5
  • mysql-bench-0:5.0.45-7.el5
  • mysql-devel-0:5.0.45-7.el5
  • mysql-server-0:5.0.45-7.el5
  • mysql-test-0:5.0.45-7.el5
refmap via4
bid 16850
confirm http://bugs.mysql.com/bug.php?id=17667
debian
  • DSA-1071
  • DSA-1073
  • DSA-1079
fulldisc 20060225 mysql <= 5.0.18
mandriva MDKSA-2006:064
misc http://rst.void.ru/papers/advisory39.txt
sectrack 1015693
secunia
  • 19034
  • 19502
  • 19814
  • 20241
  • 20253
  • 20333
  • 20625
  • 30351
ubuntu
  • USN-274-1
  • USN-274-2
vupen ADV-2006-0752
xf mysql-query-log-bypass-security(24966)
statements via4
contributor Mark J Cox
lastmodified 2006-09-19
organization Red Hat
statement Red Hat is aware of this issue and is tracking it via the following bug for Red Hat Enterprise Linux 2.1 and 3: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=194613 The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: http://www.redhat.com/security/updates/classification/ This issue has been fixed for Red Hat Enterprise Linux 4 in RHSA-2006:0544.
Last major update 07-03-2011 - 21:31
Published 27-02-2006 - 18:02
Last modified 03-10-2018 - 17:36
Back to Top