Bug #21813 An attacker has the opportunity to bypass query logging, part2
Submitted: 24 Aug 2006 15:33 Modified: 13 Sep 2006 17:32
Reporter: Magnus Blåudd Email Updates:
Status: Closed Impact on me:
None 
Category:MySQL Server Severity:S2 (Serious)
Version:5.0.25 OS:
Assigned to: Magnus Blåudd CPU Architecture:Any

[24 Aug 2006 15:33] Magnus Blåudd 
Description:
The same problem as bug#17667 but we need it for prepared statements as well.

How to repeat:
Run a query like with an embedded /0 or NULL char. The part of the query after /0 will not be logged.

Suggested fix:
Use the new functionality for bug#17667 here as well.
[25 Aug 2006 8:47] Magnus Blåudd 
Changed from logging "packet" to "thd->query" in mysql_stmt_preapre and that does not contain the query either. Where might it be... ?
[29 Aug 2006 9:27] Magnus Blåudd 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/10986

ChangeSet@1.2249, 2006-08-29 11:08:47+02:00, msvensson@neptunus.(none) +2 -0
  Bug#21813 An attacker has the opportunity to bypass query logging, part2
   - Use the "%.*b" format when printing prepared and exeuted prepared
statements to the log.
   - Add test case to check that also prepared statements end up in the query
log
  Bug#14346 Prepared statements corrupting general log/server memory
   - Use "stmt->query" when logging the newly prepared query instead of "packet"
[30 Aug 2006 15:14] Magnus Blåudd 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/11079

ChangeSet@1.2249, 2006-08-30 17:11:00+02:00, msvensson@neptunus.(none) +2 -0
  Bug#21813 An attacker has the opportunity to bypass query logging, part2
   - Use the "%.*b" format when printing prepared and exeuted prepared
statements to the log.
   - Add test case to check that also prepared statements end up in the query
log
  Bug#14346 Prepared statements corrupting general log/server memory
   - Use "stmt->query" when logging the newly prepared query instead of "packet"
[31 Aug 2006 11:41] Magnus Blåudd 
Pushed to 5.0.25
[31 Aug 2006 19:40] Paul DuBois 
Noted in 5.0.25 changelog.

A NUL byte within a prepared statement string caused the rest of the
string not to be written to the query log, allowing logging to be
bypassed.

Setting report back to NDI pending merge into 5.1.
[13 Sep 2006 8:53] Timothy Smith 
Pushed to 5.1.12
[13 Sep 2006 17:32] Paul DuBois 
Noted in 5.1.12 changelog.