mysql -- command line client input validation vulnerability

ID 4775C807-8F30-11DD-821F-001CC0377035
Type freebsd
Reporter FreeBSD
Modified 2008-10-10T00:00:00


Thomas Henlich reports:

The mysql command-line client does not quote HTML special characters like < in its output. This allows an attacker who is able to write data into a table to hide or modify records in the output, and to inject potentially dangerous code, e. g. Javascript to perform cross-site scripting or cross-site request forgery attacks.