MySQL ASCII escaping SQL injection

mysql-ascii-sql-injection (26875)

Medium Risk

Description:

MySQL is vulnerable to SQL injection. The MySQL mysql_real_escape_string() function fails to properly escape certain character encodings that use the ASCII code for a backslash as the trailing byte in a multibyte character. If a MySQL-based Web application uses one of the affected character encoding sets, a remote attacker could exploit this vulnerability by sending specially-crafted SQL statements containing invalid multibyte encoded characters which would allow the attacker to bypass standard string escaping restrictions and possibly view, add, modify or delete information in the back-end database.

Note: This vulnerability could be exploited using a Web application that uses one of the following character sets: SJIS BIG5 GBK

Consequences:

Data Manipulation

Remedy:

Upgrade to the latest version of Mac OS X (10.4.9 or later) or apply Apple Security Update 2007-003. See References.

Upgrade to the latest version of MySQL (4.1.20 or later), (5.0.22 or later) or (5.1.11-beta or later), available from the MySQL Web site. See References.

For Debian GNU/Linux:
Refer to DSA-1092-1 for patch, upgrade, or suggested workaround information. See References.

For Red Hat Linux:
Refer to RHSA-2006:0544-6 for patch, upgrade, or suggested workaround information. See References.

For Gentoo Linux:
Refer to Gentoo Linux Security Announcement GLSA 2006-06-13 for patch, upgrade, or suggested workaround information. See References.

References:

• Apple Mac OS X Web site: Apple - Apple - Mac OS X - Leopard Sneak Peek.
• Full-Disclosure Mailing List, Thu Jun 01 2006 - 14:05:33 CDT: rPSA-2006-0089-1 mysql mysql-bench mysql-server.
• Mac OS X 10.4.9 and Security Update 2007-003: About the security content of Mac OS X 10.4.9 and Security Update 2007-003.
• MySQL Announcements, May 31 2006 7:33pm: MySQL Lists: announce: MySQL 4.1.20 has been released.
• MySQL Web site: MySQL AB :: MySQL Downloads.
• ASA-2006-120: MySQL security update (RHSA-2006-0544)1)
• BID-18219: MySQL Mysql_real_escape Function SQL Injection Vulnerability
• CVE-2006-2753: SQL injection vulnerability in MySQL 4.1.x before 4.1.20 and 5.0.x before 5.0.22 allows context-dependent attackers to execute arbitrary SQL commands via crafted multibyte encodings in character sets such as SJIS, BIG5, and GBK, which are not properly handled when the mysql_real_escape function is used to escape the input.
• DSA-1092: mysql-dfsg-4.1 -- programming error
• GLSA-200606-13: MySQL: SQL Injection
• RHSA-2006-0544: mysql security update
• SA20365: MySQL Multibyte Encoding SQL Injection Vulnerability
• SA24479: Mac OS X Security Update Fixes Multiple Vulnerabilities
• SECTRACK ID: 1016216: MySQL Error in Parsing Multibyte Encoded Data in mysql_real_escape() Lets Remote Users Inject SQL Commands
• USN-288-3: PostgreSQL client vulnerabilities
• USN-288-4: dovecot regression fix
• USN-303-1: MySQL vulnerability
• VUPEN/ADV-2006-2105: MySQL Multi-byte Encoding Processing Remote SQL Injection Vulnerability
• VUPEN/ADV-2007-0930: Apple Mac OS X Multiple Remote Code Execution and Denial of Service Vulnerabilities

Platforms Affected:

• Canonical Ubuntu 5.04
• Canonical Ubuntu 5.10
• Canonical Ubuntu 6.06 LTS
• Debian Debian Linux 3.1
• Gentoo Linux
• MySQL MySQL 4.1.0.0 Alpha
• MySQL MySQL 4.1.0.0
• MySQL MySQL 4.1.10a
• MySQL MySQL 4.1.11
• MySQL MySQL 4.1.11a
• MySQL MySQL 4.1.13
• MySQL MySQL 4.1.18
• MySQL MySQL 4.1.19
• MySQL MySQL 4.1.2 Alpha
• MySQL MySQL 4.1.3 Beta
• MySQL MySQL 4.1.3.0
• MySQL MySQL 4.1.4
• MySQL MySQL 4.1.5
• MySQL MySQL 5.0.0 Alpha
• MySQL MySQL 5.0.0.0
• MySQL MySQL 5.0.1
• MySQL MySQL 5.0.18
• MySQL MySQL 5.0.2
• MySQL MySQL 5.0.20
• MySQL MySQL 5.0.21
• MySQL MySQL 5.0.3
• MySQL MySQL 5.0.4
• MySQL MySQL 5.1.10
• MySQL MySQL 5.1.9
• RedHat Enterprise Linux 4 AS
• RedHat Enterprise Linux 4 ES
• RedHat Enterprise Linux 4 WS
• RedHat Enterprise Linux 4 Desktop

Reported:

May 31, 2006

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page