Vigil@nce - MySQL: SQL injection via quote
September 2012 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker, who is authenticated on MySQL and who is allowed to
alter tables, can use a special character, which is saved in the
Binary Log, and which is then used to execute SQL code during the
replication.
Impacted products: MySQL Community, MySQL Enterprise
Severity: 1/4
Creation date: 11/09/2012
DESCRIPTION OF THE VULNERABILITY
The Binary Log of MySQL contains information on database changes.
It is for example used on slave servers during the replication.
A table name or a field name containing special characters has to
the surrounded by quotes. For example: `ab``cd`.
However, the Binary Log does not contain these characters. Special
characters can thus change the meaning of SQL queries executed on
slave servers.
An attacker, who is authenticated on MySQL and who is allowed to
alter tables, can therefore use a special character, which is
saved in the Binary Log, and which is then used to execute SQL
code during the replication.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/MySQL-SQL-injection-via-quote-11928