MySQL Server date_format()函数拒绝服务漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1110632 漏洞类型 格式化字符串
发布时间 2006-07-18 更新时间 2008-07-25
CVE编号 CVE-2006-3469 CNNVD-ID CNNVD-200607-302
漏洞平台 Linux CVSS评分 4.0
|漏洞来源
https://www.exploit-db.com/exploits/28234
https://www.securityfocus.com/bid/19032
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200607-302
|漏洞详情
OracleMySQL是美国甲骨文(Oracle)公司的一套开源的关系数据库管理系统。该数据库系统具有性能高、成本低、可靠性好等特点。MySQL服务器的date_format()函数在处理用户提交的参数时存在漏洞,畸形的参数数据会导致MySQL服务器崩溃。如果用户用特别的SQL语句调用了MySQL的date_format()函数的话,就可能导致服务器崩溃。
|漏洞EXP
source: http://www.securityfocus.com/bid/19032/info

MySQL is prone to a remote denial-of-service vulnerability because the database server fails to properly handle unexpected input.

This issue allows remote attackers to crash affected database servers, denying service to legitimate users. Attackers must be able to execute arbitrary SQL statements on affected servers, which requires valid credentials to connect to affected servers.

Attackers may exploit this issue in conjunction with latent SQL-injection vulnerabilities in other applications.

Versions prior to MySQL 4.1.18, 5.0.19, and 5.1.6 are vulnerable.

The following SQL statement will demonstrate this issue:

select date_format('%d%s', 1);
|受影响的产品
Ubuntu Ubuntu Linux 5.10 sparc Ubuntu Ubuntu Linux 5.10 powerpc Ubuntu Ubuntu Linux 5.10 i386 Ubuntu Ubuntu Linux 5.10 amd64 Slackware Linux 10.2 Redhat Enterprise Linux W
|参考资料

来源:US-CERT
名称:TA07-072A
链接:http://www.us-cert.gov/cas/techalerts/TA07-072A.html
来源:DEBIAN
名称:DSA-1112
链接:http://www.debian.org/security/2006/dsa-1112
来源:UBUNTU
名称:USN-321-1
链接:http://www.ubuntu.com/usn/usn-321-1
来源:BID
名称:19032
链接:http://www.securityfocus.com/bid/19032
来源:REDHAT
名称:RHSA-2008:0768
链接:http://www.redhat.com/support/errata/RHSA-2008-0768.html
来源:GENTOO
名称:GLSA-200608-09
链接:http://security.gentoo.org/glsa/glsa-200608-09.xml
来源:SECUNIA
名称:21147
链接:http://secunia.com/advisories/21147
来源:dev.mysql.com
链接:http://dev.mysql.com/doc/refman/4.1/en/news-4-1-21.html
来源:MISC
链接:http://bugs.mysql.com/bug.php?id=20729
来源:MISC
链接:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=375694
来源:VUPEN
名称:ADV-2007-0930
链接:http://www.frsirt.com/english/advisories/2007/0930
来源:SECUNIA
名称:31226
链接:http://secunia.com/advisories/31226
来源:SECUNIA
名称:24479
链接:http://secunia.com/advisories/24479
来源:SECUNIA
名称:21366
链接:http://secunia.com/advisories/21366
来源:APPLE
名称:APPLE-SA-2007-03-13
链接:http://lists.ap