GLSA
Advocate
Joined: 12 May 2004
Posts: 2663
|
 Posted: Tue Oct 25, 2011 5:26 pm Post subject: [ GLSA 201110-23 ] Apache mod_authnz_external: SQL injection |
 |
|
Gentoo Linux Security Advisory
Title: Apache mod_authnz_external: SQL injection (GLSA 201110-23)
Severity: low
Exploitable: remote
Date: October 25, 2011
Bug(s): #386165
ID: 201110-23
Synopsis
An input sanitation flaw in mod_authnz_external allows remote
attacker to conduct SQL injection.
Background
mod_authnz_external is a tool for creating custom authentication
backends for HTTP basic authentication.
Affected Packages
Package: www-apache/mod_authnz_external
Vulnerable: < 3.2.6
Unaffected: >= 3.2.6
Architectures: All supported architectures
Description
mysql/mysql-auth.pl in mod_authnz_external does not properly sanitize
input before using it in an SQL query.
Impact
A remote attacker could exploit this vulnerability to inject arbitrary
SQL statements by using a specially crafted username for HTTP
authentication on a site using mod_authnz_external.
Workaround
There is no known workaround at this time.
Resolution
All Apache mod_authnz_external users should upgrade to the latest
version:
| Code: | # emerge --sync
# emerge --ask --oneshot --verbose
">=www-apache/mod_authnz_external-3.2.6"
|
References
CVE-2011-2688 |
|
News & Announcements
