Buffer Overflow in MySQL

Posted by Hemos on Sunday September 14, 2003 @11:47PM from the upgrade-ya-schlubs dept.

maedls.at writes "Here is a short description of the Vulnerability:Passwords of MySQL users are stored in the "User" table, part of the "mysql" database, specifically in the "Password" field. In MySQL 4.0.x and 3.23.x, these passwords are hashed and stored as a 16 characters long hexadecimal value, specifically in the "Password" field. Unfortunately, a function involved in password checking misses correct bounds checking. By filling a "Password" field a value wider than 16 characters, a buffer overflow will occur. For details and proof of concept see: http://lists.netsys.com/pipermail/full-disclosure/ 2003-September/009819.html"

2 of 43 comments (clear)

Min score:

Reason:

Sort:

damn... by shaitand · 2003-09-15 00:14 · Score: 0, Redundant

Thats a pretty serious vulnerability... patching now.
Re:Problem is in C libraries by arthurs_sidekick · 2003-09-15 02:27 · Score: 1, Redundant

and that was a "d'oh" posting problem (did you forget to preview?) void get_salt_from_password(ulong *res,const char *password) { res[0]=res[1]=0; if (password) { while (*password) { ulong val=0; uint i; for (i=0 ; i < 8 ; i++) val=(val << 4)+char_val(*password++); *res++=val; } } return; } Sorry folks!

--
"Oh, I hope he doesn't give us halyatchkies," said Heinrich.