This script is Copyright (C) 2006-2014 Tenable Network Security, Inc.
The remote FreeBSD host is missing one or more security-related
MySQL reports :
A SQL-injection security hole has been found in multibyte encoding
processing. A SQL-injection security hole can include a situation
whereby when inserting user-supplied data into a database, the user
might inject his own SQL statements that the server will execute. With
regards to this vulnerability discovered, when character set unaware
escaping is used (e.g., addslashes() in PHP), it is possible to bypass
it in some multibyte character sets (e.g., SJIS, BIG5 and GBK). As a
result, a function like addslashes() is not able to prevent SQL
injection attacks. It is impossible to fix this on the server side.
The best solution is for applications to use character set aware
escaping offered in a function like mysql_real_escape().
One can use NO_BACKSLASH_ESCAPES mode as a workaround for a bug in
mysql_real_escape_string(), if you cannot upgrade your server for some
reason. It will enable SQL standard compatibility mode, where
backslash is not considered a special character.
See also :
Update the affected packages.
Risk factor :
Family: FreeBSD Local Security Checks
Nessus Plugin ID: 21634 (freebsd_pkg_7f8ceceaf19911da842200123ffe8333.nasl)
Get Nessus Professional to scan unlimited IPs, run compliance checks & moreBuy Nessus Professional Now