Bug #95519 Create a Denial of service
Submitted: 24 May 2019 9:04 Modified: 25 Jun 2019 12:28
Reporter: Toto toto Email Updates:
Status: Can't repeat Impact on me:
None 
Category:MySQL Server: Security: Audit Severity:S3 (Non-critical)
Version:5.7.25-28 OS:Ubuntu (14.14)
Assigned to: CPU Architecture:Any
Tags: denial of service

[24 May 2019 9:04] Toto toto 
Description:
Hi, 

During an audit I discovered an injection sql, and when I send the following payload (In POST HTTP Request) creates a denial of service :

                                  AND SLEEP(1)
                                 

I do not have access to the server, for me it is the same vulnerability as: 
CVE 2015 -4870

I undrestand that can be a bad configuration of the server but I hope I did not waste your time, and thank you in advance.

How to repeat:
With Apache HTTP Server configuring to use mysql 5.7.25-28 on Ubuntu

in an environment without sql request prepared and parameters vulnerable to sql injection:

eg: In post HTTP request: 

                 id=42%20AND%20SLEEP(1)
[24 May 2019 12:27] MySQL Verification Team 
Hi Mr. Toto,

Thank you very much for your bug report.

For your information, we can process the bug only if we have a fully repeatable test case involving only MySQL and no third-party software.

Repeatable test case consists of the series of SQL statements which always lead to the bug reported. You can always use some additional tool, like mysqlslap or sysbench, that are built for MySQL only. Also, this is not a forum for Apache WWW server.

Looking forward for your test case.
[25 Jun 2019 1:00] Bugs System 
No feedback was provided for this bug for over a month, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".