The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

computer vulnerability CVE-2006-2753

MySQL: SQL injection via multi-byte characters

Synthesis of the vulnerability

An attacker can inject SQL code using multi-byte characters.
Impacted systems: Debian, Fedora, Mandriva Linux, MySQL Community, MySQL Enterprise, RHEL.
Severity of this alert: 3/4.
Consequences of an intrusion: privileged access/rights.
Pirate's origin: intranet client.
Creation date: 01/06/2006.
Revision date: 08/06/2006.
Références of this alert: BID-18219, CERTA-2006-AVI-231, CERTA-2006-AVI-350, CVE-2006-2753, DSA-1092-1, FEDORA-2006-702, FEDORA-2006-703, MDKSA-2006:097, RHSA-2006:054, RHSA-2006:0544-01, VIGILANCE-VUL-5885.

Description of the vulnerability

Character tables associate a numeric value to each character. When the number of characters is over 256, they have to be encoded using several bytes (multi-byte). Here are three examples of character tables/encoding:
 - ISO-8859-1/LATIN1 (French)
 - UTF-8 (international, multi-byte)
 - SJIS, BIG5, GBK, GB18030, UHC (Asian, multi-byte)

A SQL string can contain the tick character. For example:
  SELECT ... WHERE var = 'abc\'def';
  SELECT ... WHERE var = 'abc''def';
The mysql_real_escape_string() function adds backslash or doubles ticks.

Two vulnerabilities affect MySQL, when multi-byte encodings are used, and when data coming from user are inserted in a SQL query. Web applications are potentially vulnerable.

The first vulnerability affects the mysql_real_escape_string() function family which does not reject invalid multi-byte characters. For example, in UTF-8, the "0xC8 ' ' attackersql" or "0xC8 \ ' attackersql" string is converted to "one_character ' attackersql" (ignore spaces). So, the query:
  SELECT ... WHERE var = ' mysql_real_escape_string("0xC8 ' attackersql") '
become :
  SELECT ... WHERE var = ' 0xC8 ' ' attackersql '
  SELECT ... WHERE var = 'one_character ' attackersql'
An attacker can therefore inject the attackersql command.

The second vulnerability only affects Asian encodings, when they are used with simple escaping functions such as a regular expression replace of ' by \', PHP addslashes(), etc. For example, in SJIS, the query:
  SELECT ... WHERE var = ' addslashes("0x95 0x5C ' attackersql") '
becomes, because 0x5C is the backslash character:
  SELECT ... WHERE var = ' 0x95 0x5C \ \ ' attackersql '
  SELECT ... WHERE var = 'one_character \\' attackersql'
An attacker can therefore inject the attackersql command.

These vulnerabilities also affects PostgreSQL (VIGILANCE-VUL-5863).
Full Vigil@nce bulletin... (Free trial)

Computer vulnerabilities tracking service

Vigil@nce provides software vulnerabilities alerts. The Vigil@nce team tracks computer vulnerabilities impacting systems and applications. The Vigil@nce vulnerability database contains several thousand vulnerabilities. The Vigil@nce security watch publishes vulnerability bulletins about threats impacting the information system.