Vigil@nce: MySQL, HTML injection of client
October 2008 by Vigil@nce
An attacker can use special data in order to force the MySQL
client to inject characters in HTML results.
– Gravity: 1/4
– Consequences: data creation/edition
– Provenance: intranet client
– Means of attack: 1 proof of concept
– Ability of attacker: specialist (3/4)
– Confidence: confirmed by the editor (5/5)
– Diffusion of the vulnerable configuration: medium (2/3)
– Creation date: 01/10/2008
IMPACTED PRODUCTS
– MySQL
– MySQL Community Server
– MySQL Enterprise Server
DESCRIPTION
The mysql client can format columns of the result in various
formats:
– text : mysql —execute "select ..."
– HTML : mysql —html —execute "select ..."
– XML : mysql —xml —execute "select ..."
The HTML format generates an array containing a row for each
record. However, special characters in data, such as ’<’, ’>’ and
’&’, are not converted to entities.
When an attacker can control the data to display, he can thus
change the HTML document, in order for example to use a Cross Site
Scripting attack.
CHARACTERISTICS
– Identifiers: 27884, VIGILANCE-VUL-8137
– Url: http://vigilance.aql.fr/vulnerability/8137