Alerts This Week
Warning Icon 1 626
Alerts This Week
Warning Icon 1 626

Gentoo: GLSA-201110-23 Low: mod_authnz_external SQL Injection Risk

gentoo
Calendar Grey October 25, 2011
Dist Gentoo Esm H88
Gentoo Advisory GLSA-202310-45 warns of a potential vulnerability in mod_authnz_external impacting various web server setups due to SQL injection threats.
An input sanitation flaw in mod_authnz_external allows remote attacker to conduct SQL injection.

Summary

mysql/mysql-auth.pl in mod_authnz_external does not properly sanitize input before using it in an SQL query.

Topics%20covered

Topics Covered

security advisory Gentoo apache SQL injection low severity mod_authnz_external

Resolution

All Apache mod_authnz_external users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot -v ">=www-apache/mod_authnz_external-3.2.6"

References

[ 1 ] CVE-2011-2688 http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2688

Availability

This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/201110-23
style>.gentoo_availability{display:block;}

Concerns

Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.

Severity
low
Lowest
Low
Medium
High
Critical

Severity: Low
Title: Apache mod_authnz_external: SQL injection
Date: October 25, 2011
Bugs: #386165
ID: 201110-23

Topics%20covered

Topics Covered

security advisory Gentoo apache SQL injection low severity mod_authnz_external

Synopsis

An input sanitation flaw in mod_authnz_external allows remote attacker to conduct SQL injection.

Background

mod_authnz_external is a tool for creating custom authentication backends for HTTP basic authentication.

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Affected Packages

------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 www-apache/mod_authnz_external < 3.2.6 >= 3.2.6

Impact

===== A remote attacker could exploit this vulnerability to inject arbitrary SQL statements by using a specially crafted username for HTTP authentication on a site using mod_authnz_external.

Workaround

There is no known workaround at this time.

Related News

Your message here