|
MySQL: Improper Filtering of Directory Traversal Characters in User Defined Functions
Credit: This vulnerability was discovered and researched by Reid Borsuk of Application Security Inc.
Risk level: Low
Affected Versions:
ALL
Background:
User-defined functions in MySQL allow a user in the database to call binary libraries on the operating system. Creating a user-defined function requires insert privileges on the mysql.func table.
Details:
The UDF creation functions attempt to filter out directory traversal characters, restricting access to libraries only in system and MySQL directories.
The problem exists in the fact that MySQL only uses the forward slash (/) as a path separator. Windows machines use the backslash (\) character to separate directories in paths. This allows an attacker to bypass directory traversal checks and include arbitrary files.
This may allow an attacker to execute arbitrary code if they are able to drop a file either through FILE privileges, or other attacks on MySQL or other programs.
It should be noted that this is a Windows specific issue; other operating systems are not likely to be affected.
Exploiting this vulnerability would require the ability to create user-defined functions. This is not typically granted to untrusted users, however given this vulnerability you should understand the ramifications of granting the ability to create user-defined functions.
Workaround:
Restrict access to create user-defined functions.
Vendor Status:
Vendor was contacted and a patch was released.
Fix:
MySQL versions 4.0.25, 4.1.13, or 5.0.7-beta have been patched. These products can be found here: http://dev.mysql.com/downloads/
|
