sql/sql_table.cc in MySQL 5.0.x through 5.0.88, 5.1.x through 5.1.41, and 6.0 before 6.0.9-alpha, when the data home directory contains a symlink to a different filesystem, allows remote authenticated users to bypass intended access restrictions by calling CREATE TABLE with a (1) DATA DIRECTORY or (2) INDEX DIRECTORY argument referring to a subdirectory that requires following this symlink.
Weakness
The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Mysql | Mysql | 5.0.0 (including) | 5.0.0 (including) |
| Mysql | Mysql | 5.0.1 (including) | 5.0.1 (including) |
| Mysql | Mysql | 5.0.2 (including) | 5.0.2 (including) |
| Mysql | Mysql | 5.0.3 (including) | 5.0.3 (including) |
| Mysql | Mysql | 5.0.4 (including) | 5.0.4 (including) |
| Mysql | Mysql | 5.0.5 (including) | 5.0.5 (including) |
| Mysql | Mysql | 5.0.5.0.21 (including) | 5.0.5.0.21 (including) |
| Mysql | Mysql | 5.0.10 (including) | 5.0.10 (including) |
| Mysql | Mysql | 5.0.15 (including) | 5.0.15 (including) |
| Mysql | Mysql | 5.0.16 (including) | 5.0.16 (including) |
| Mysql | Mysql | 5.0.17 (including) | 5.0.17 (including) |
| Mysql | Mysql | 5.0.20 (including) | 5.0.20 (including) |
| Mysql | Mysql | 5.0.22.1.0.1 (including) | 5.0.22.1.0.1 (including) |
| Mysql | Mysql | 5.0.24 (including) | 5.0.24 (including) |
| Mysql | Mysql | 5.0.30 (including) | 5.0.30 (including) |
| Mysql | Mysql | 5.0.36 (including) | 5.0.36 (including) |
| Mysql | Mysql | 5.0.44 (including) | 5.0.44 (including) |
| Mysql | Mysql | 5.0.54 (including) | 5.0.54 (including) |
| Mysql | Mysql | 5.0.56 (including) | 5.0.56 (including) |
| Mysql | Mysql | 5.0.60 (including) | 5.0.60 (including) |
| Mysql | Mysql | 5.0.66 (including) | 5.0.66 (including) |
| Mysql | Mysql | 5.0.82 (including) | 5.0.82 (including) |
| Mysql | Mysql | 5.1.5 (including) | 5.1.5 (including) |
| Mysql | Mysql | 5.1.23 (including) | 5.1.23 (including) |
| Mysql | Mysql | 5.1.32 (including) | 5.1.32 (including) |
| Mysql | Mysql | 6.0.9 (including) | 6.0.9 (including) |
| Mysql | Oracle | 5.0.0-alpha (including) | 5.0.0-alpha (including) |
| Mysql | Oracle | 5.0.3-beta (including) | 5.0.3-beta (including) |
| Mysql | Oracle | 5.0.6 (including) | 5.0.6 (including) |
| Mysql | Oracle | 5.0.7 (including) | 5.0.7 (including) |
| Mysql | Oracle | 5.0.8 (including) | 5.0.8 (including) |
| Mysql | Oracle | 5.0.11 (including) | 5.0.11 (including) |
| Mysql | Oracle | 5.0.12 (including) | 5.0.12 (including) |
| Mysql | Oracle | 5.0.13 (including) | 5.0.13 (including) |
| Mysql | Oracle | 5.0.14 (including) | 5.0.14 (including) |
| Mysql | Oracle | 5.0.18 (including) | 5.0.18 (including) |
| Mysql | Oracle | 5.0.19 (including) | 5.0.19 (including) |
| Mysql | Oracle | 5.0.21 (including) | 5.0.21 (including) |
| Mysql | Oracle | 5.0.22 (including) | 5.0.22 (including) |
| Mysql | Oracle | 5.0.23 (including) | 5.0.23 (including) |
| Mysql | Oracle | 5.0.25 (including) | 5.0.25 (including) |
| Mysql | Oracle | 5.0.26 (including) | 5.0.26 (including) |
| Mysql | Oracle | 5.0.27 (including) | 5.0.27 (including) |
| Mysql | Oracle | 5.0.30-sp1 (including) | 5.0.30-sp1 (including) |
| Mysql | Oracle | 5.0.32 (including) | 5.0.32 (including) |
| Mysql | Oracle | 5.0.33 (including) | 5.0.33 (including) |
| Mysql | Oracle | 5.0.37 (including) | 5.0.37 (including) |
| Mysql | Oracle | 5.0.38 (including) | 5.0.38 (including) |
| Mysql | Oracle | 5.0.41 (including) | 5.0.41 (including) |
| Mysql | Oracle | 5.0.42 (including) | 5.0.42 (including) |
| Mysql | Oracle | 5.0.45 (including) | 5.0.45 (including) |
| Mysql | Oracle | 5.0.50 (including) | 5.0.50 (including) |
| Mysql | Oracle | 5.0.51 (including) | 5.0.51 (including) |
| Mysql | Oracle | 5.0.52 (including) | 5.0.52 (including) |
| Mysql | Oracle | 5.0.75 (including) | 5.0.75 (including) |
| Mysql | Oracle | 5.0.77 (including) | 5.0.77 (including) |
| Mysql | Oracle | 5.0.81 (including) | 5.0.81 (including) |
| Mysql | Oracle | 5.0.83 (including) | 5.0.83 (including) |
| Mysql | Oracle | 5.1 (including) | 5.1 (including) |
| Mysql | Oracle | 5.1.1 (including) | 5.1.1 (including) |
| Mysql | Oracle | 5.1.2 (including) | 5.1.2 (including) |
| Mysql | Oracle | 5.1.3 (including) | 5.1.3 (including) |
| Mysql | Oracle | 5.1.4 (including) | 5.1.4 (including) |
| Mysql | Oracle | 5.1.6 (including) | 5.1.6 (including) |
| Mysql | Oracle | 5.1.7 (including) | 5.1.7 (including) |
| Mysql | Oracle | 5.1.8 (including) | 5.1.8 (including) |
| Mysql | Oracle | 5.1.9 (including) | 5.1.9 (including) |
| Mysql | Oracle | 5.1.10 (including) | 5.1.10 (including) |
| Mysql | Oracle | 5.1.11 (including) | 5.1.11 (including) |
| Mysql | Oracle | 5.1.12 (including) | 5.1.12 (including) |
| Mysql | Oracle | 5.1.13 (including) | 5.1.13 (including) |
| Mysql | Oracle | 5.1.14 (including) | 5.1.14 (including) |
| Mysql | Oracle | 5.1.15 (including) | 5.1.15 (including) |
| Mysql | Oracle | 5.1.16 (including) | 5.1.16 (including) |
| Mysql | Oracle | 5.1.17 (including) | 5.1.17 (including) |
| Mysql | Oracle | 5.1.18 (including) | 5.1.18 (including) |
| Mysql | Oracle | 5.1.19 (including) | 5.1.19 (including) |
| Mysql | Oracle | 5.1.20 (including) | 5.1.20 (including) |
| Mysql | Oracle | 5.1.21 (including) | 5.1.21 (including) |
| Mysql | Oracle | 5.1.22 (including) | 5.1.22 (including) |
| Mysql | Oracle | 5.1.30 (including) | 5.1.30 (including) |
| Mysql | Oracle | 6.0.0 (including) | 6.0.0 (including) |
| Mysql | Oracle | 6.0.1 (including) | 6.0.1 (including) |
| Mysql | Oracle | 6.0.2 (including) | 6.0.2 (including) |
| Mysql | Oracle | 6.0.3 (including) | 6.0.3 (including) |
| Mysql | Oracle | 6.0.4 (including) | 6.0.4 (including) |
| Mysql-5.1 | Ubuntu | devel | * |
| Mysql-5.1 | Ubuntu | maverick | * |
| Mysql-dfsg | Ubuntu | dapper | * |
| Mysql-dfsg-4.1 | Ubuntu | dapper | * |
| Mysql-dfsg-5.1 | Ubuntu | jaunty | * |
| Mysql-dfsg-5.1 | Ubuntu | karmic | * |
| Mysql-dfsg-5.1 | Ubuntu | lucid | * |
Potential Mitigations
- Follow the principle of least privilege when assigning access rights to entities in a software system.
- Denying access to a file can prevent an attacker from replacing that file with a link to a sensitive file. Ensure good compartmentalization in the system to provide protected areas that can be trusted.
Related Attack Patterns
- https://cwe.mitre.org/data/definitions/132.html
- https://cwe.mitre.org/data/definitions/17.html
- https://cwe.mitre.org/data/definitions/35.html
- https://cwe.mitre.org/data/definitions/76.html
References
- http://bugs.mysql.com/bug.php?id=39277
- http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html
- http://lists.mysql.com/commits/59711
- http://lists.opensuse.org/opensuse-security-announce/2010-05/msg00001.html
- http://lists.opensuse.org/opensuse-security-announce/2010-11/msg00005.html
- http://marc.info/?l=oss-security\u0026m=125908040022018\u0026w=2
- http://secunia.com/advisories/38517
- http://support.apple.com/kb/HT4077
- http://ubuntu.com/usn/usn-897-1
- http://www.mandriva.com/security/advisories?name=MDVSA-2010:044
- http://www.securityfocus.com/bid/38043
- http://www.ubuntu.com/usn/USN-1397-1
- http://www.vupen.com/english/advisories/2010/1107
- https://bugzilla.redhat.com/show_bug.cgi?id=543619
- http://bugs.mysql.com/bug.php?id=39277
- http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html
- http://lists.mysql.com/commits/59711
- http://lists.opensuse.org/opensuse-security-announce/2010-05/msg00001.html
- http://lists.opensuse.org/opensuse-security-announce/2010-11/msg00005.html
- http://marc.info/?l=oss-security\u0026m=125908040022018\u0026w=2
- http://secunia.com/advisories/38517
- http://support.apple.com/kb/HT4077
- http://ubuntu.com/usn/usn-897-1
- http://www.mandriva.com/security/advisories?name=MDVSA-2010:044
- http://www.securityfocus.com/bid/38043
- http://www.ubuntu.com/usn/USN-1397-1
- http://www.vupen.com/english/advisories/2010/1107
- https://bugzilla.redhat.com/show_bug.cgi?id=543619