Vigil@nce: MySQL, denial of service via XPath
March 2009 by Vigil@nce
A local attacker can use a malformed XPath expression in order to
stop MySQL.
– Gravity: 1/4
– Consequences: denial of service of service
– Provenance: user account
– Means of attack: 1 attack
– Ability of attacker: technician (2/4)
– Confidence: confirmed by the editor (5/5)
– Diffusion of the vulnerable configuration: high (3/3)
– Creation date: 03/03/2009
IMPACTED PRODUCTS
– MySQL Community Server
– MySQL Enterprise
DESCRIPTION OF THE VULNERABILITY
The XPath language is used to indicate a part of XML data. For
example:
- /a/b (absolute) : selects the "
" element
- c (relative) : selects the "
current element
The ExtractValue() and UpdateXML() functions handle XML data from
a SQL query. Their second parameter is an XPath expression:
- ExtractValue(’bonjour
’, ’/a/b’) returns "bonjour"
- UpdateXML(’bonjour’, ’/a/b’, ’
returns "
However, when a relative path is used, an assertion error occurs
and stops MySQL.
A local attacker can therefore use a special XPath expression in
order to create a denial of service.
CHARACTERISTICS
– Identifiers: VIGILANCE-VUL-8503
– Url: http://vigilance.fr/vulnerability/MySQL-denial-of-service-via-XPath-8503