Bug #21813 An attacker has the opportunity to bypass query logging, part2
Submitted: 24 Aug 2006 17:33 Modified: 13 Sep 2006 19:32
Reporter: Magnus Blaudd
Status: Closed
Category:Server Severity:S2 (Serious)
Version:5.0.25 OS:
Assigned to: Magnus Blaudd Target Version:

[24 Aug 2006 17:33] Magnus Blaudd 
Description:
The same problem as bug#17667 but we need it for prepared statements as well.

How to repeat:
Run a query like with an embedded /0 or NULL char. The part of the query after /0 will not
be logged.

Suggested fix:
Use the new functionality for bug#17667 here as well.
[25 Aug 2006 10:47] Magnus Blaudd 
Changed from logging "packet" to "thd->query" in mysql_stmt_preapre and that does not
contain the query either. Where might it be... ?
[29 Aug 2006 11:27] Magnus Blaudd 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/10986

ChangeSet@1.2249, 2006-08-29 11:08:47+02:00, msvensson@neptunus.(none) +2 -0
  Bug#21813 An attacker has the opportunity to bypass query logging, part2
   - Use the "%.*b" format when printing prepared and exeuted prepared
statements to the log.
   - Add test case to check that also prepared statements end up in the query
log
  Bug#14346 Prepared statements corrupting general log/server memory
   - Use "stmt->query" when logging the newly prepared query instead of "packet"
[30 Aug 2006 17:14] Magnus Blaudd 
A patch for this bug has been committed. After review, it may
be pushed to the relevant source trees for release in the next
version. You can access the patch from:

  http://lists.mysql.com/commits/11079

ChangeSet@1.2249, 2006-08-30 17:11:00+02:00, msvensson@neptunus.(none) +2 -0
  Bug#21813 An attacker has the opportunity to bypass query logging, part2
   - Use the "%.*b" format when printing prepared and exeuted prepared
statements to the log.
   - Add test case to check that also prepared statements end up in the query
log
  Bug#14346 Prepared statements corrupting general log/server memory
   - Use "stmt->query" when logging the newly prepared query instead of "packet"
[31 Aug 2006 13:41] Magnus Blaudd 
Pushed to 5.0.25
[31 Aug 2006 21:40] Paul DuBois 
Noted in 5.0.25 changelog.

A NUL byte within a prepared statement string caused the rest of the
string not to be written to the query log, allowing logging to be
bypassed.

Setting report back to NDI pending merge into 5.1.
[13 Sep 2006 10:53] Timothy Smith 
Pushed to 5.1.12
[13 Sep 2006 19:32] Paul DuBois 
Noted in 5.1.12 changelog.