MySQL User Defined Function Detected
High Nessus Network Monitor Plugin ID 8218
SynopsisThe MySQL server running on the remote server appears to accept user-defined functions.
DescriptionUser-defined functions in MySQL can allow a database user to load binary libraries. The insert privilege on the table '/mysql.func' is required for a user to create user-defined functions. It was confirmed that MySQL on the Windows platform (and possibly other platforms, though unverified) is potentially impacted by the following vulnerabilities:
- If an invalid library is requested the Windows function 'LoadLibraryEx' will block processing until an error dialog box is acknowledged on the server. It is not likely that non-Windows systems are affected by this particular issue.
- MySQL requires that user-defined libraries contain functions with names fitting the formats: 'XXX_deinit' or 'XXX_init'. However, other libraries are known to contain functions fitting these formats and, when called upon, can cause application crashes, memory corruption and stack pollution.
SolutionThe vendor has not released a fix for this issue. Ensure that the privilege of creating user-defined functions is restricted to authorized users.