|
|
Vulnerability Assessment & Network Security Forums |
|||||||||
|
If through a vulnerability assessment, a network security issue is detected for the vulnerability below, applying the appropriate security patches in a timely matter is very important. If you have detected that your system has already been compromised, following CERT's Network Security recovery document will assist with recommended steps for system recovery. Home >> Browse Vulnerability Assessment Database >> Gentoo Local Security Checks >> [GLSA-200606-13] MySQL: SQL Injection Vulnerability Assessment Details
|
[GLSA-200606-13] MySQL: SQL Injection |
||
|
MySQL: SQL Injection Detailed Explanation for this Vulnerability Assessment The remote host is affected by the vulnerability described in GLSA-200606-13 (MySQL: SQL Injection) MySQL is vulnerable to an injection flaw in mysql_real_escape() when used with multi-byte characters. Impact Due to a flaw in the multi-byte character process, a possible hacker is still able to inject arbitary SQL statements into the MySQL server for execution. Workaround There are a few workarounds available: NO_BACKSLASH_ESCAPES mode as a workaround for a bug in mysql_real_escape_string(): SET sql_mode='NO_BACKSLASH_ESCAPES' SET GLOBAL sql_mode='NO_BACKSLASH_ESCAPES' and server command line options: --sql-mode=NO_BACKSLASH_ESCAPES. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2753 Solution: All MySQL users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose ">=dev-db/mysql-4.1.20" Network Security Threat Level: Medium Networks Security ID: Vulnerability Assessment Copyright: (C) 2006 Michel Arboi |
||
|
Router Components, Memory |
|
||
|
No Discussions have been posted on this vulnerability. |