Date: Wed, 21 Jan 2009 11:46:41 -0500 From: Steffen Joeris <steffen.joeris@...lelinux.de> To: oss-security@...ts.openwall.com Cc: coley@...us.mitre.org Subject: mod-auth-mysql: SQL injection Hi The following issue can now be made public. Please note that this describes the software used in debian as mod-auth-mysql (binary name is libapache2-mod-auth-mysql). It is different from the SF project. Package : mod-auth-mysql Vulnerability : SQL injection vulnerability Problem type : remote Debian-specific: no CVE Id : CVE-2008-2384 Martin Joey Schulze discovered that mod-auth-mysq, an apache 2 module for mysql authentication, is prone to an SQL injection due to insufficient escaping mechanisms, when multybite character encodings are used. The link points to the patch. Please credit Martin Joey Schulze for writing it. Cheers Steffen : http://klecker.debian.org/~white/mod-auth-mysql/CVE-2008-2384_mod-auth-mysql.patch Download attachment "signature.asc " of type "application/pgp-signature" (198 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.