Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 21 Jan 2009 11:46:41 -0500
From: Steffen Joeris <>
Subject: mod-auth-mysql: SQL injection


The following issue can now be made public. Please note that this describes 
the software used in debian as mod-auth-mysql (binary name is 
libapache2-mod-auth-mysql). It is different from the SF project.

Package        : mod-auth-mysql
Vulnerability  : SQL injection vulnerability
Problem type   : remote
Debian-specific: no
CVE Id         : CVE-2008-2384

Martin Joey Schulze discovered that mod-auth-mysq, an apache 2 module
for mysql authentication, is prone to an SQL injection due to
insufficient escaping mechanisms, when multybite character encodings are

The link[0] points to the patch. Please credit Martin Joey Schulze for writing 



Download attachment "signature.asc " of type "application/pgp-signature" (198 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.