ID CVE-2006-2753
Summary SQL injection vulnerability in MySQL 4.1.x before 4.1.20 and 5.0.x before 5.0.22 allows context-dependent attackers to execute arbitrary SQL commands via crafted multibyte encodings in character sets such as SJIS, BIG5, and GBK, which are not properly handled when the mysql_real_escape function is used to escape the input.
References
Vulnerable Configurations
  • MySQL MySQL 4.1.0
    cpe:2.3:a:mysql:mysql:4.1.0
  • MySQL MySQL 4.1.1
    cpe:2.3:a:mysql:mysql:4.1.1
  • MySQL MySQL 4.1.2
    cpe:2.3:a:mysql:mysql:4.1.2
  • MySQL MySQL 4.1.3
    cpe:2.3:a:mysql:mysql:4.1.3
  • MySQL MySQL 4.1.4
    cpe:2.3:a:mysql:mysql:4.1.4
  • MySQL MySQL 4.1.5
    cpe:2.3:a:mysql:mysql:4.1.5
  • MySQL MySQL 4.1.6
    cpe:2.3:a:mysql:mysql:4.1.6
  • MySQL MySQL 4.1.7
    cpe:2.3:a:mysql:mysql:4.1.7
  • MySQL MySQL 4.1.8
    cpe:2.3:a:mysql:mysql:4.1.8
  • MySQL MySQL 4.1.9
    cpe:2.3:a:mysql:mysql:4.1.9
  • MySQL MySQL 4.1.10
    cpe:2.3:a:mysql:mysql:4.1.10
  • MySQL MySQL 4.1.11
    cpe:2.3:a:mysql:mysql:4.1.11
  • MySQL MySQL 4.1.12
    cpe:2.3:a:mysql:mysql:4.1.12
  • MySQL MySQL 4.1.13
    cpe:2.3:a:mysql:mysql:4.1.13
  • MySQL MySQL 4.1.14
    cpe:2.3:a:mysql:mysql:4.1.14
  • MySQL MySQL 4.1.15
    cpe:2.3:a:mysql:mysql:4.1.15
  • MySQL MySQL 4.1.16
    cpe:2.3:a:mysql:mysql:4.1.16
  • MySQL MySQL 4.1.17
    cpe:2.3:a:mysql:mysql:4.1.17
  • MySQL MySQL 4.1.18
    cpe:2.3:a:mysql:mysql:4.1.18
  • MySQL MySQL 4.1.19
    cpe:2.3:a:mysql:mysql:4.1.19
  • MySQL MySQL 5.0.0
    cpe:2.3:a:mysql:mysql:5.0.0
  • MySQL MySQL 5.0.1
    cpe:2.3:a:mysql:mysql:5.0.1
  • MySQL MySQL 5.0.2
    cpe:2.3:a:mysql:mysql:5.0.2
  • MySQL MySQL 5.0.3
    cpe:2.3:a:mysql:mysql:5.0.3
  • MySQL MySQL 5.0.4
    cpe:2.3:a:mysql:mysql:5.0.4
  • MySQL MySQL 5.0.5
    cpe:2.3:a:mysql:mysql:5.0.5
  • MySQL MySQL 5.0.6
    cpe:2.3:a:mysql:mysql:5.0.6
  • MySQL MySQL 5.0.7
    cpe:2.3:a:mysql:mysql:5.0.7
  • MySQL MySQL 5.0.8
    cpe:2.3:a:mysql:mysql:5.0.8
  • MySQL MySQL 5.0.9
    cpe:2.3:a:mysql:mysql:5.0.9
  • MySQL MySQL 5.0.10
    cpe:2.3:a:mysql:mysql:5.0.10
  • MySQL MySQL 5.0.11
    cpe:2.3:a:mysql:mysql:5.0.11
  • MySQL MySQL 5.0.12
    cpe:2.3:a:mysql:mysql:5.0.12
  • MySQL MySQL 5.0.13
    cpe:2.3:a:mysql:mysql:5.0.13
  • MySQL MySQL 5.0.14
    cpe:2.3:a:mysql:mysql:5.0.14
  • MySQL MySQL 5.0.15
    cpe:2.3:a:mysql:mysql:5.0.15
  • MySQL MySQL 5.0.16
    cpe:2.3:a:mysql:mysql:5.0.16
  • MySQL MySQL 5.0.17
    cpe:2.3:a:mysql:mysql:5.0.17
  • MySQL MySQL 5.0.18
    cpe:2.3:a:mysql:mysql:5.0.18
  • MySQL MySQL 5.0.19
    cpe:2.3:a:mysql:mysql:5.0.19
  • MySQL MySQL 5.0.20
    cpe:2.3:a:mysql:mysql:5.0.20
  • MySQL MySQL 5.0.20a
    cpe:2.3:a:mysql:mysql:5.0.20a
  • MySQL MySQL 5.0.21
    cpe:2.3:a:mysql:mysql:5.0.21
CVSS
Base: 7.5 (as of 02-06-2006 - 08:09)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
nessus via4
  • NASL family Mandriva Local Security Checks
    NASL id MANDRAKE_MDKSA-2006-097.NASL
    description SQL injection vulnerability in MySQL 4.1.x before 4.1.20 and 5.0.x before 5.0.22 allows context-dependent attackers to execute arbitrary SQL commands via crafted multibyte encodings in character sets such as SJIS, BIG5, and GBK, which are not properly handled when the mysql_real_escape function is used to escape the input. MySQL 4.0.18 in Corporate 3.0 and MNF 2.0 is not affected by this issue. Packages have been patched to correct this issue.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 21669
    published 2006-06-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=21669
    title Mandrake Linux Security Advisory : MySQL (MDKSA-2006:097)
  • NASL family Slackware Local Security Checks
    NASL id SLACKWARE_SSA_2006-155-01.NASL
    description New mysql packages are available for Slackware 9.1, 10.0, 10.1, 10.2 and -current to fix security issues. The MySQL packages shipped with Slackware 9.1, 10.0, and 10.1 may possibly leak sensitive information found in uninitialized memory to authenticated users. This is fixed in the new packages, and was already patched in Slackware 10.2 and -current. Since the vulnerabilities require a valid login and/or access to the database server, the risk is moderate. Slackware does not provide network access to a MySQL database by default.
    last seen 2019-02-21
    modified 2018-11-19
    plugin id 21639
    published 2006-06-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=21639
    title Slackware 10.0 / 10.1 / 10.2 / 9.1 / current : mysql (SSA:2006-155-01)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-303-1.NASL
    description A SQL injection vulnerability has been discovered when using less popular multibyte encodings (such as SJIS, or BIG5) which contain valid multibyte characters that end with the byte 0x5c (the representation of the backslash character >>\<< in ASCII). Many client libraries and applications use the non-standard, but popular way of escaping the >>'<< character by replacing all occurences of it with >>\'<<. If a client application uses one of the affected encodings and does not interpret multibyte characters, and an attacker supplies a specially crafted byte sequence as an input string parameter, this escaping method would then produce a validly-encoded character and an excess >>'<< character which would end the string. All subsequent characters would then be interpreted as SQL code, so the attacker could execute arbitrary SQL commands. The updated packages fix the mysql_real_escape_string() function to escape quote characters in a safe way. If you use third-party software which uses an ad-hoc method of string escaping, you should convert them to use mysql_real_escape_string() instead, or at least use the standard SQL method of escaping >>'<< with >>''<<. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 27878
    published 2007-11-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=27878
    title Ubuntu 5.10 / 6.06 LTS : mysql-dfsg-4.1, mysql-dfsg-5.0 vulnerability (USN-303-1)
  • NASL family MacOS X Local Security Checks
    NASL id MACOSX_10_4_9.NASL
    description The remote host is running a version of Mac OS X 10.4 which is older than version 10.4.9 or a version of Mac OS X 10.3 which does not have Security Update 2007-003 applied. This update contains several security fixes for the following programs : - ColorSync - CoreGraphics - Crash Reporter - CUPS - Disk Images - DS Plugins - Flash Player - GNU Tar - HFS - HID Family - ImageIO - Kernel - MySQL server - Networking - OpenSSH - Printing - QuickDraw Manager - servermgrd - SMB File Server - Software Update - sudo - WebLog
    last seen 2019-02-21
    modified 2018-07-14
    plugin id 24811
    published 2007-03-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=24811
    title Mac OS X < 10.4.9 Multiple Vulnerabilities (Security Update 2007-003)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_MYSQL-1593.NASL
    description This update of mysql fixes a bug in the mysql_real_escape() function that allowed SQL command injection (CVE-2006-2753).
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 27357
    published 2007-10-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=27357
    title openSUSE 10 Security Update : mysql (mysql-1593)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-1092.NASL
    description Josh Berkus and Tom Lane discovered that MySQL 4.1, a popular SQL database, incorrectly parses a string escaped with mysql_real_escape() which could lead to SQL injection. This problem does only exist in versions 4.1 and 5.0.
    last seen 2019-02-21
    modified 2018-07-20
    plugin id 22634
    published 2006-10-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=22634
    title Debian DSA-1092-1 : mysql-dfsg-4.1 - programming error
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-288-3.NASL
    description USN-288-1 described a PostgreSQL client vulnerability in the way the >>'<< character is escaped in SQL queries. It was determined that the PostgreSQL backends of Exim, Dovecot, and Postfix used this unsafe escaping method. For reference, these are the details of the original USN : CVE-2006-2313: Akio Ishida and Yasuo Ohgaki discovered a weakness in the handling of invalidly-encoded multibyte text data. If a client application processed untrusted input without respecting its encoding and applied standard string escaping techniques (such as replacing a single quote >>'<< with >>\'<< or >>''<<), the PostgreSQL server could interpret the resulting string in a way that allowed an attacker to inject arbitrary SQL commands into the resulting SQL query. The PostgreSQL server has been modified to reject such invalidly encoded strings now, which completely fixes the problem for some 'safe' multibyte encodings like UTF-8. CVE-2006-2314: However, there are some less popular and client-only multibyte encodings (such as SJIS, BIG5, GBK, GB18030, and UHC) which contain valid multibyte characters that end with the byte 0x5c, which is the representation of the backslash character >>\<< in ASCII. Many client libraries and applications use the non-standard, but popular way of escaping the >>'<< character by replacing all occurences of it with >>\'<<. If a client application uses one of the affected encodings and does not interpret multibyte characters, and an attacker supplies a specially crafted byte sequence as an input string parameter, this escaping method would then produce a validly-encoded character and an excess >>'<< character which would end the string. All subsequent characters would then be interpreted as SQL code, so the attacker could execute arbitrary SQL commands. To fix this vulnerability end-to-end, client-side applications must be fixed to properly interpret multibyte encodings and use >>''<< instead of >>\'<<. However, as a precautionary measure, the sequence >>\'<< is now regarded as invalid when one of the affected client encodings is in use. If you depend on the previous behaviour, you can restore it by setting 'backslash_quote = on' in postgresql.conf. However, please be aware that this could render you vulnerable again. This issue does not affect you if you only use single-byte (like SQL_ASCII or the ISO-8859-X family) or unaffected multibyte (like UTF-8) encodings. Please see http://www.postgresql.org/docs/techdocs.50 for further details. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 27859
    published 2007-11-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=27859
    title Ubuntu 5.04 / 5.10 / 6.06 LTS : dovecot, exim4, postfix vulnerabilities (USN-288-3)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-200606-13.NASL
    description The remote host is affected by the vulnerability described in GLSA-200606-13 (MySQL: SQL Injection) MySQL is vulnerable to an injection flaw in mysql_real_escape() when used with multi-byte characters. Impact : Due to a flaw in the multi-byte character process, an attacker is still able to inject arbitary SQL statements into the MySQL server for execution. Workaround : There are a few workarounds available: NO_BACKSLASH_ESCAPES mode as a workaround for a bug in mysql_real_escape_string(): SET sql_mode='NO_BACKSLASH_ESCAPES'; SET GLOBAL sql_mode='NO_BACKSLASH_ESCAPES'; and server command line options: --sql-mode=NO_BACKSLASH_ESCAPES.
    last seen 2019-02-21
    modified 2018-08-10
    plugin id 21706
    published 2006-06-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=21706
    title GLSA-200606-13 : MySQL: SQL Injection
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2006-0544.NASL
    description Updated mysql packages that fix multiple security flaws are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. MySQL is a multi-user, multi-threaded SQL database server. MySQL is a client/server implementation consisting of a server daemon (mysqld) and many different client programs and libraries. A flaw was found in the way the MySQL mysql_real_escape() function escaped strings when operating in a multibyte character encoding. An attacker could provide an application a carefully crafted string containing invalidly-encoded characters which may be improperly escaped, leading to the injection of malicious SQL commands. (CVE-2006-2753) An information disclosure flaw was found in the way the MySQL server processed malformed usernames. An attacker could view a small portion of server memory by supplying an anonymous login username which was not null terminated. (CVE-2006-1516) An information disclosure flaw was found in the way the MySQL server executed the COM_TABLE_DUMP command. An authenticated malicious user could send a specially crafted packet to the MySQL server which returned random unallocated memory. (CVE-2006-1517) A log file obfuscation flaw was found in the way the mysql_real_query() function creates log file entries. An attacker with the the ability to call the mysql_real_query() function against a mysql server can obfuscate the entry the server will write to the log file. However, an attacker needed to have complete control over a server in order to attempt this attack. (CVE-2006-0903) This update also fixes numerous non-security-related flaws, such as intermittent authentication failures. All users of mysql are advised to upgrade to these updated packages containing MySQL version 4.1.20, which is not vulnerable to these issues.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 22000
    published 2006-07-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=22000
    title CentOS 4 : mysql (CESA-2006:0544)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2006-0544.NASL
    description Updated mysql packages that fix multiple security flaws are now available. This update has been rated as having important security impact by the Red Hat Security Response Team. MySQL is a multi-user, multi-threaded SQL database server. MySQL is a client/server implementation consisting of a server daemon (mysqld) and many different client programs and libraries. A flaw was found in the way the MySQL mysql_real_escape() function escaped strings when operating in a multibyte character encoding. An attacker could provide an application a carefully crafted string containing invalidly-encoded characters which may be improperly escaped, leading to the injection of malicious SQL commands. (CVE-2006-2753) An information disclosure flaw was found in the way the MySQL server processed malformed usernames. An attacker could view a small portion of server memory by supplying an anonymous login username which was not null terminated. (CVE-2006-1516) An information disclosure flaw was found in the way the MySQL server executed the COM_TABLE_DUMP command. An authenticated malicious user could send a specially crafted packet to the MySQL server which returned random unallocated memory. (CVE-2006-1517) A log file obfuscation flaw was found in the way the mysql_real_query() function creates log file entries. An attacker with the the ability to call the mysql_real_query() function against a mysql server can obfuscate the entry the server will write to the log file. However, an attacker needed to have complete control over a server in order to attempt this attack. (CVE-2006-0903) This update also fixes numerous non-security-related flaws, such as intermittent authentication failures. All users of mysql are advised to upgrade to these updated packages containing MySQL version 4.1.20, which is not vulnerable to these issues.
    last seen 2019-02-21
    modified 2018-11-27
    plugin id 21683
    published 2006-06-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=21683
    title RHEL 4 : mysql (RHSA-2006:0544)
  • NASL family Databases
    NASL id MYSQL_5_1_11.NASL
    description The version of MySQL installed on the remote host is earlier than 4.1.20 / 5.0.22 / 5.1.11 and thus reportedly allows a remote attack to launch SQL injections by using multibyte character encodings (e.g. SJIS, BIG5, GBK) when mysql_real_escape is used.
    last seen 2019-02-21
    modified 2018-07-16
    plugin id 17806
    published 2012-01-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=17806
    title MySQL < 4.1.20 / 5.0.22 / 5.1.11 SQL Injection
oval via4
accepted 2013-04-29T04:04:31.171-04:00
class vulnerability
contributors
  • name Aharon Chernin
    organization SCAP.com, LLC
  • name Dragos Prisaca
    organization G2, Inc.
definition_extensions
  • comment The operating system installed on the system is Red Hat Enterprise Linux 4
    oval oval:org.mitre.oval:def:11831
  • comment CentOS Linux 4.x
    oval oval:org.mitre.oval:def:16636
  • comment Oracle Linux 4.x
    oval oval:org.mitre.oval:def:15990
description SQL injection vulnerability in MySQL 4.1.x before 4.1.20 and 5.0.x before 5.0.22 allows context-dependent attackers to execute arbitrary SQL commands via crafted multibyte encodings in character sets such as SJIS, BIG5, and GBK, which are not properly handled when the mysql_real_escape function is used to escape the input.
family unix
id oval:org.mitre.oval:def:10312
status accepted
submitted 2010-07-09T03:56:16-04:00
title SQL injection vulnerability in MySQL 4.1.x before 4.1.20 and 5.0.x before 5.0.22 allows context-dependent attackers to execute arbitrary SQL commands via crafted multibyte encodings in character sets such as SJIS, BIG5, and GBK, which are not properly handled when the mysql_real_escape function is used to escape the input.
version 23
redhat via4
advisories
rhsa
id RHSA-2006:0544
refmap via4
apple APPLE-SA-2007-03-13
bid 18219
cert TA07-072A
confirm
debian DSA-1092
gentoo GLSA-200606-13
mandriva MDKSA-2006:097
sectrack 1016216
secunia
  • 20365
  • 20489
  • 20531
  • 20541
  • 20562
  • 20625
  • 20712
  • 24479
trustix 2006-0034
ubuntu
  • USN-288-3
  • USN-303-1
vupen
  • ADV-2006-2105
  • ADV-2007-0930
xf mysql-ascii-sql-injection(26875)
Last major update 07-03-2011 - 21:36
Published 01-06-2006 - 13:02
Last modified 03-10-2018 - 17:41
Back to Top