icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons_061

MySQL User Defined Function Detected

High

Synopsis

The MySQL server running on the remote server appears to accept user-defined functions.

Description

User-defined functions in MySQL can allow a database user to load binary libraries. The insert privilege on the table '/mysql.func' is required for a user to create user-defined functions. It was confirmed that MySQL on the Windows platform (and possibly other platforms, though unverified) is potentially impacted by the following vulnerabilities:

- If an invalid library is requested the Windows function 'LoadLibraryEx' will block processing until an error dialog box is acknowledged on the server. It is not likely that non-Windows systems are affected by this particular issue.

- MySQL requires that user-defined libraries contain functions with names fitting the formats: 'XXX_deinit' or 'XXX_init'. However, other libraries are known to contain functions fitting these formats and, when called upon, can cause application crashes, memory corruption and stack pollution.

Solution

The vendor has not released a fix for this issue. Ensure that the privilege of creating user-defined functions is restricted to authorized users.