-
Bharathy Satish authored
Problem: In case of authentication plugin mismatch during connection phase, server tells client to switch to a particular plugin by passing plugin name in the authentication switch packet. When this communication between client and server is compromised this plugin name can be of form like ../../xyz.so. This can cause client to load this library from any location which is a threat. Analysis: When client reads the switch packet, client checks if the plugin name provided by server is loaded or not, if not then client prefixes plugindir with plugin name and then tries to load it. ex: plugin_dir = /usr/local/mysql/lib/plugin/ and plugin name given by server = ../../../../lib/xyz/malicious.so now plugin to be loaded is /usr/lib/xyz/malicious.so which is wrong. Fix: On client we check if the plugin name is valid or not before loading. RB#23535Bharathy Satish authoredProblem: In case of authentication plugin mismatch during connection phase, server tells client to switch to a particular plugin by passing plugin name in the authentication switch packet. When this communication between client and server is compromised this plugin name can be of form like ../../xyz.so. This can cause client to load this library from any location which is a threat. Analysis: When client reads the switch packet, client checks if the plugin name provided by server is loaded or not, if not then client prefixes plugindir with plugin name and then tries to load it. ex: plugin_dir = /usr/local/mysql/lib/plugin/ and plugin name given by server = ../../../../lib/xyz/malicious.so now plugin to be loaded is /usr/lib/xyz/malicious.so which is wrong. Fix: On client we check if the plugin name is valid or not before loading. RB#23535
Loading