Rapid7 Vulnerability & Exploit Database

RHSA-2009:0259: mod_auth_mysql security update

Back to Search

RHSA-2009:0259: mod_auth_mysql security update

Severity
8
CVSS
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
Published
01/22/2009
Created
07/25/2018
Added
02/22/2009
Modified
07/04/2017

Description

The mod_auth_mysql package includes an extension module for the Apache HTTPServer which can be used to implement web user authentication against aMySQL database.A flaw was found in the way mod_auth_mysql escaped certainmultibyte-encoded strings. If mod_auth_mysql was configured to use amultibyte character set that allowed a backslash '\' as part of thecharacter encodings, a remote attacker could inject arbitrary SQL commandsinto a login request. (CVE-2008-2384)Note: This flaw only affected non-default installations where AuthMySQLCharacterSet is configured to use one of the affected multibytecharacter sets. Installations that did not use the AuthMySQLCharacterSetconfiguration option were not vulnerable to this flaw.All mod_auth_mysql users are advised to upgrade to the updated package,which contains a backported patch to resolve this issue. After installingthe update, the httpd daemon must be restarted for the fix to take effect.

Solution(s)

  • redhat-upgrade-mod_auth_mysql

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;