Openwall Project   /home  Owl  JtR  Pro  crypt  pam_passwdqc  tcb  phpass  scanlogd  popa3d  msulogin  /  Linux  BIND  /  advisories  presentations  /  services  donations  /  wordlists  passwords  /  news  community  lists  wiki  CVSweb  mirrors  signatures
bringing security into open environments
 
Password Recovery Resources on the Net
[<prev] [next>] [thread-next>] [month] [year] [list] 
Date: Wed, 21 Jan 2009 11:46:41 -0500
From: Steffen Joeris <steffen.joeris@...lelinux.de>
To: oss-security@...ts.openwall.com
Cc: coley@...us.mitre.org
Subject: mod-auth-mysql: SQL injection

Hi

The following issue can now be made public. Please note that this describes 
the software used in debian as mod-auth-mysql (binary name is 
libapache2-mod-auth-mysql). It is different from the SF project.

Package        : mod-auth-mysql
Vulnerability  : SQL injection vulnerability
Problem type   : remote
Debian-specific: no
CVE Id         : CVE-2008-2384


Martin Joey Schulze discovered that mod-auth-mysq, an apache 2 module
for mysql authentication, is prone to an SQL injection due to
insufficient escaping mechanisms, when multybite character encodings are
used.

The link[0] points to the patch. Please credit Martin Joey Schulze for writing 
it.

Cheers
Steffen

[0]: 
http://klecker.debian.org/~white/mod-auth-mysql/CVE-2008-2384_mod-auth-mysql.patch

[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Hosted by DataForce ISP - Powered by Openwall GNU/*/Linux