Signature Detail

This site is deprecated. Please CLICK HERE for latest updates

Short Name	HTTP:SQL:INJ:SELECT-SUB-DOS
Severity	Minor
Recommended	No
Category	HTTP
Keywords	MySQL SELECT Subquery Denial of Service SQL Injection
Release Date	2010/02/17
Update Number	1613
Supported Platforms	idp-4.0+, isg-3.0+, j-series-9.5+, mx-11.4+, srx-12.1+, srx-branch-12.1+, vmx-17.4+, vsrx-12.1+, vsrx3bsd-18.2+

HTTP: MySQL SELECT Subquery Denial of Service SQL Injection

This signature detects attempts to exploit a known vulnerability against Sun MySQL Database via HTTP SQL Command Injection. A successful attack can result in a denial-of-service condition. Sun Microsystems MySQL prior to 5.0.88 and Sun Microsystems MySQL prior to 5.1.41 are affected. However, it might also be a false positive - many Web sites use variables similar in format to SQL, and some Web sites even use SQL as part of normal operations. This is considered a poor convention, as sites using raw SQL in variables can be vulnerable to SQL injection. To reduce False Positives, it is strongly recommended that these signatures only be used to inspect traffic from the Internet to your organization's Web servers that use SQL backend databases to generate content and not to inspect traffic going from your organization to the Internet.

Extended Description

MySQL is prone to multiple remote denial-of-service vulnerabilities because it fails to handle certain SQL expressions. An attacker can exploit these issues to crash the application, denying access to legitimate users. Versions prior to MySQL 5.0.88 and 5.1.41 are vulnerable.

Affected Products

Apple mac_os_x_server 10.6
Apple mac_os_x_server 10.6.1
Apple mac_os_x_server 10.6.2
Gentoo linux
Mandriva corporate_server 4.0
Mandriva corporate_server 4.0.0 X86 64
Mandriva enterprise_server 5
Mandriva enterprise_server 5 X86 64
Mandriva linux_mandrake 2008.0
Mandriva linux_mandrake 2008.0 X86 64
Mandriva linux_mandrake 2009.0
Mandriva linux_mandrake 2009.0 X86 64
Mandriva linux_mandrake 2009.1
Mandriva linux_mandrake 2009.1 X86 64
Mandriva linux_mandrake 2010.0
Mandriva linux_mandrake 2010.0 X86 64
Mysql_ab mysql 5.0
Mysql_ab mysql 5.0.0 .0-0
Mysql_ab mysql 5.0.0 .0-Alpha
Mysql_ab mysql 5.0.1
Mysql_ab mysql 5.0.18
Mysql_ab mysql 5.0.19
Mysql_ab mysql 5.0.2
Mysql_ab mysql 5.0.20
Mysql_ab mysql 5.0.21
Mysql_ab mysql 5.0.22
Mysql_ab mysql 5.0.22 -1-0.1
Mysql_ab mysql 5.0.24
Mysql_ab mysql 5.0.26
Mysql_ab mysql 5.0.27
Mysql_ab mysql 5.0.3
Mysql_ab mysql 5.0.32
Mysql_ab mysql 5.0.33
Mysql_ab mysql 5.0.36
Mysql_ab mysql 5.0.37
Mysql_ab mysql 5.0.38
Mysql_ab mysql 5.0.39
Mysql_ab mysql 5.0.4
Mysql_ab mysql 5.0.40
Mysql_ab mysql 5.0.42
Mysql_ab mysql 5.0.44
Mysql_ab mysql 5.0.45
Mysql_ab mysql 5.0.46
Mysql_ab mysql 5.0.47
Mysql_ab mysql 5.0.48
Mysql_ab mysql 5.0.49
Mysql_ab mysql 5.0.50
Mysql_ab mysql 5.0.51
Mysql_ab mysql 5.0.52
Mysql_ab mysql 5.0.60
Mysql_ab mysql 5.0.66
Mysql_ab mysql 5.0.75
Mysql_ab mysql 5.1.10
Mysql_ab mysql 5.1.11
Mysql_ab mysql 5.1.12
Mysql_ab mysql 5.1.13
Mysql_ab mysql 5.1.14
Mysql_ab mysql 5.1.15
Mysql_ab mysql 5.1.16
Mysql_ab mysql 5.1.17
Mysql_ab mysql 5.1.18
Mysql_ab mysql 5.1.22
Mysql_ab mysql 5.1.23
Mysql_ab mysql 5.1.26
Mysql_ab mysql 5.1.30
Mysql_ab mysql 5.1.31
Mysql_ab mysql 5.1.32
Mysql_ab mysql 5.1.33
Mysql_ab mysql 5.1.34
Mysql_ab mysql 5.1.35
Mysql_ab mysql 5.1.36
Mysql_ab mysql 5.1.37
Mysql_ab mysql 5.1.38
Mysql_ab mysql 5.1.39
Mysql_ab mysql 5.1.5
Mysql_ab mysql 5.1.6
Mysql_ab mysql 5.1.9
Mysql_ab mysql 6.0.0
Mysql_ab mysql 6.0.1
Mysql_ab mysql 6.0.2
Mysql_ab mysql 6.0.3
Mysql_ab mysql 6.0.4
Mysql_ab mysql 6.0.6
Mysql_ab mysql 6.0.7
Mysql_ab mysql 6.0.8
Mysql_ab mysql 6.0.9
Pardus linux_2009
Red_hat enterprise_linux 5 Server
Red_hat enterprise_linux_desktop 5 Client
Red_hat enterprise_linux_desktop_workstation 5 Client
Red_hat enterprise_linux_eus 5.4.Z Server
Red_hat fedora 10
Red_hat fedora 11
Red_hat fedora 12
Rpath appliance_platform_linux_service 1
Rpath appliance_platform_linux_service 2
Rpath rpath_linux 1
Rpath rpath_linux 2
Suse opensuse 11.0
Suse opensuse 11.1
Suse opensuse 11.2
Suse suse_linux_enterprise 10 SP2
Suse suse_linux_enterprise 10 SP3
Suse suse_linux_enterprise 11
Ubuntu ubuntu_linux 10.04 Amd64
Ubuntu ubuntu_linux 10.04 ARM
Ubuntu ubuntu_linux 10.04 I386
Ubuntu ubuntu_linux 10.04 Powerpc
Ubuntu ubuntu_linux 10.04 Sparc
Ubuntu ubuntu_linux 10.10 amd64
Ubuntu ubuntu_linux 10.10 ARM
Ubuntu ubuntu_linux 10.10 i386
Ubuntu ubuntu_linux 10.10 powerpc
Ubuntu ubuntu_linux 11.04 amd64
Ubuntu ubuntu_linux 11.04 ARM
Ubuntu ubuntu_linux 11.04 i386
Ubuntu ubuntu_linux 11.04 powerpc
Ubuntu ubuntu_linux 11.10 amd64
Ubuntu ubuntu_linux 11.10 i386
Ubuntu ubuntu_linux 6.06 LTS Amd64
Ubuntu ubuntu_linux 6.06 LTS I386
Ubuntu ubuntu_linux 6.06 LTS Powerpc
Ubuntu ubuntu_linux 6.06 LTS Sparc
Ubuntu ubuntu_linux 8.04 LTS Amd64
Ubuntu ubuntu_linux 8.04 LTS I386
Ubuntu ubuntu_linux 8.04 LTS Lpia
Ubuntu ubuntu_linux 8.04 LTS Powerpc
Ubuntu ubuntu_linux 8.04 LTS Sparc
Ubuntu ubuntu_linux 8.10 Amd64
Ubuntu ubuntu_linux 8.10 I386
Ubuntu ubuntu_linux 8.10 Lpia
Ubuntu ubuntu_linux 8.10 Powerpc
Ubuntu ubuntu_linux 8.10 Sparc
Ubuntu ubuntu_linux 9.04 Amd64
Ubuntu ubuntu_linux 9.04 I386
Ubuntu ubuntu_linux 9.04 Lpia
Ubuntu ubuntu_linux 9.04 Powerpc
Ubuntu ubuntu_linux 9.04 Sparc
Ubuntu ubuntu_linux 9.10 Amd64
Ubuntu ubuntu_linux 9.10 I386
Ubuntu ubuntu_linux 9.10 Lpia
Ubuntu ubuntu_linux 9.10 Powerpc
Ubuntu ubuntu_linux 9.10 Sparc

References

BugTraq: 37297
CVE: CVE-2009-4019

Signature Detail

This site is deprecated. Please CLICK HERE for latest updates

Short Name

Severity

Recommended

Category

Keywords

Release Date

Update Number

Supported Platforms

HTTP: MySQL SELECT Subquery Denial of Service SQL Injection

Extended Description

Affected Products

References