Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 21 Jan 2009 11:46:41 -0500
From: Steffen Joeris <steffen.joeris@...lelinux.de>
To: oss-security@...ts.openwall.com
Cc: coley@...us.mitre.org
Subject: mod-auth-mysql: SQL injection

Hi

The following issue can now be made public. Please note that this describes 
the software used in debian as mod-auth-mysql (binary name is 
libapache2-mod-auth-mysql). It is different from the SF project.

Package        : mod-auth-mysql
Vulnerability  : SQL injection vulnerability
Problem type   : remote
Debian-specific: no
CVE Id         : CVE-2008-2384


Martin Joey Schulze discovered that mod-auth-mysq, an apache 2 module
for mysql authentication, is prone to an SQL injection due to
insufficient escaping mechanisms, when multybite character encodings are
used.

The link[0] points to the patch. Please credit Martin Joey Schulze for writing 
it.

Cheers
Steffen

[0]: 
http://klecker.debian.org/~white/mod-auth-mysql/CVE-2008-2384_mod-auth-mysql.patch

Download attachment "signature.asc " of type "application/pgp-signature" (198 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.