CERT-In Vulnerability Note CIVN-2006-43
MySQL Multi-byte Encoding Processing Remote SQL Injection Vulnerability.

Original Issue Date: June 09, 2006

Severity Rating: Medium

Systems Affected

• MySQL version 4.1.19 and prior
• MySQL version 5.0.21 and prior
• MySQL version 5.1.10 and prior

Overview

A vulnerability has been reported in MySQL which could be exploited by remote attackers to execute arbitrary SQL commands.

Description

A vulnerability has been reported in MySQL while parsing some multi-byte character sets (e.g. SJIS, BIG5 and GBK) and certain ASCII characters escaped with the "mysql_real_escape_string()" function to make data safe before sending a query to MySQL database which could be exploited by remote attackers to bypass security restriction and execute arbitrary SQL commands leading to SQL injection attack.

Solution

Upgrade to MySQL version 4.1.20, 5.0.22, or 5.1.11 :
http://dev.mysql.com/downloads/

Vendor Information

MySQL:
http://dev.mysql.com/

References

MySQL:
http://dev.mysql.com/doc/refman/4.1/en/news-4-1-20.html
http://dev.mysql.com/doc/refman/5.1/en/news-5-1-11.html
http://dev.mysql.com/doc/refman/5.0/en/news-5-0-22.html
http://bugs.mysql.com/bug.php?id=8378

FrSirt:
http://www.frsirt.com/english/advisories/2006/2105

Security Focus:
http://www.securityfocus.com/bid/18219

Secunia:
http://secunia.com/advisories/20365

Security Tracker:
http://securitytracker.com/id?1016216

NVD:
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-2753

CVE Name

CVE-2006-2753

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information

Phone: +91 11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003