MariaDB Development
  1. MariaDB Development
  2. MDEV-382

Multiple SQL injection vulnerabilities in the replication code

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Critical Critical
    • Resolution: Fixed
    • Affects Version/s: 5.5.25, 5.3.7, 5.2.12, 5.1.62
    • Fix Version/s: 10.0.0, 5.5.27, 5.3.8, 5.2.13, 5.1.66
    • Labels:
      None
    • Global Rank:
      587

      Description

      There are numerous places in the code where SQL statements are generated and written into the binary log. User-supplied identifiers (table names, field names, etc.) are not always properly quoted (for example, the proper quoted form of SPECI`AL is `SPECI``AL`), so authorized users that have privileges to modify a table (any non-temporary table) can inject arbitrary SQL into the binary log.

      Such injected SQL will be executed by the slave or when a DBA does a mysqlbinlog|mysql style point-in-time recovery.

      During the normal MySQL replication (master-slave, not mysqlbinlog|mysql), the options to exploit these vulnerabilities are somewhat limited by the fact, that the slave does not execute many statements, when it expects the one. So, one can not inject a new SQL statement. But one can extend the WHERE condition, or modify tables that he usually would have no access to.

      Just to be clear: to exploit this one needs a valid account on the server and privileges to modify data.

      To trigger the bug one can use, for example,

      create temporary table temp(a int);
      create table `a``b` (a int);
      drop table `a``b`, temp;
      show binlog events;
      

      This issue was reported on MySQL bug tracker: http://bugs.mysql.com/66550

      It has CVE identifier CVE-2012-4414

      The patches are available on launchpad:

        Activity

        There are no comments yet on this issue.

          People

          • Assignee:
            Sergei Golubchik
            Reporter:
            Kristian Nielsen
          • Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: