|
|
Family: Gentoo Local Security Checks --> Category: infos
[GLSA-200606-13] MySQL: SQL Injection Vulnerability Scan
Vulnerability Scan Summary
MySQL: SQL Injection
Detailed Explanation for this Vulnerability Test
The remote host is affected by the vulnerability described in GLSA-200606-13
(MySQL: SQL Injection)
MySQL is vulnerable to an injection flaw in mysql_real_escape() when
used with multi-byte characters.
Impact
Due to a flaw in the multi-byte character process, a possible hacker is still
able to inject arbitary SQL statements into the MySQL server for
execution.
Workaround
There are a few workarounds available: NO_BACKSLASH_ESCAPES mode as a
workaround for a bug in mysql_real_escape_string(): SET
sql_mode='NO_BACKSLASH_ESCAPES'
SET GLOBAL
sql_mode='NO_BACKSLASH_ESCAPES'
and server command line options:
--sql-mode=NO_BACKSLASH_ESCAPES.
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2753
Solution:
All MySQL users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose ">=dev-db/mysql-4.1.20"
Threat Level: Medium
Click HERE for more information and discussions on this network vulnerability scan.
|
