Home page logo

bugtraq logo Bugtraq mailing list archives

Re: mSQL vulnerabilities
From: blkadder () VALUE NET (Black Adder)
Date: Tue, 29 Jul 1997 17:04:17 -0700

On Tue, 29 Jul 1997, David Sacerdote wrote:

All mysql string are (own coded) C++ strings and the String class includes a
length so this problem doesn't exists.

No.  At least a few are on the stack.  Look at mysql_rm_table() in
3.20.24a for example:

int mysql_rm_table(THD *thd,tname_t *tables)
  char  path[FN_REFLEN];
    (void) sprintf(path,"%s/%s/%s%s",mysql_data_home,thd->db,table->real_name,

I've not traced the functions which call mysql_rm_table to see if they do
bounds checking, but what I see it doing is the kind of thing which makes
me feel nervous, and suspect a hole, as my initial post to the bugtraq
mailing list indicated.  I have not *confirmed* or *exploited* any holes
in MySQL as of this afternoon.

I sent Monty(the author of MySQL) a note after I saw the mSQL problems,
and taking a quick look and seeing the implicit declaration of FN_REFLEN
which is equivelant to MAXPATHLENGTH, and calls like the one you show
above. He stated that there are bounds checking (33 characters) so this is
not a problem.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]