Rapid7 Vulnerability & Exploit Database

RHSA-2010:1002: mod_auth_mysql security update

Back to Search

RHSA-2010:1002: mod_auth_mysql security update

Severity
8
CVSS
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
Published
01/22/2009
Created
07/25/2018
Added
01/04/2011
Modified
07/04/2017

Description

The mod_auth_mysql package includes an extension module for the Apache HTTPServer, which can be used to implement web user authentication against aMySQL database.A flaw was found in the way mod_auth_mysql escaped certainmultibyte-encoded strings. If mod_auth_mysql was configured to use amultibyte character set that allowed a backslash ("\") as part of thecharacter encodings, a remote attacker could inject arbitrary SQL commandsinto a login request. (CVE-2008-2384)Note: This flaw only affected non-default installations whereAuthMySQLCharacterSet is configured to use one of the affected multibytecharacter sets. Installations that did not use the AuthMySQLCharacterSetconfiguration option were not vulnerable to this flaw.All mod_auth_mysql users are advised to upgrade to this updated package,which contains a backported patch to correct this issue. After installingthe updated package, the httpd daemon must be restarted for the update totake effect.

Solution(s)

  • redhat-upgrade-mod_auth_mysql
  • redhat-upgrade-mod_auth_mysql-debuginfo

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;