Your message dated Tue, 12 Jul 2011 17:04:27 +0200
with message-id <20110712150427.GB2418@aenima>
and subject line Closing
has caused the Debian Bug report #633637,
regarding Exploitable remotely: SQL injection
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
633637: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=633637
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: libapache2-mod-authnz-external
Version: 3.2.4-2
Severity: critical
Tags: security patch
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi there,
According to
http://code.google.com/p/mod-auth-external/issues/detail?id=5 there's a
possible remote sql injection bug. The fix is a two liner:
- --- trunk/mod_authnz_external/mysql/mysql-auth.pl
+++ trunk/mod_authnz_external/mysql/mysql-auth.pl
@@ -62,8 +62,10 @@
exit 1;
}
- -my $dbq = $dbh->prepare("select username as username, password as password
from users where username=\'$user\';");
+my $dbq = $dbh->prepare("select username as username, password as password
from users where username=?;");
+$dbq->bind_param(1, $user);
$dbq->execute;
+
my $row = $dbq->fetchrow_hashref();
if ($row->{username} eq "") {
Thanks!
- -- System Information:
Debian Release: wheezy/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (100, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.39-2-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages libapache2-mod-authnz-external depends on:
ii apache2.2-common 2.2.19-1 Apache HTTP Server common files
pn libc6 <none> (no description available)
Versions of packages libapache2-mod-authnz-external recommends:
ii pwauth 2.3.8-1 authenticator for mod_authnz_exter
libapache2-mod-authnz-external suggests no packages.
- -- no debconf information
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iEYEARECAAYFAk4cMpUACgkQNFDtUT/MKpAAlwCgqrEBO0A+HUB4eLWSpOf5RUf7
kGkAoKTMd0zZUneJvsHnj7O+DfxXFbMZ
=w70I
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
Sorry for the noise, the patch is already in Debian.
Closing the bug now.
--
.''`. Ex nihilo nihil fit
: :' :
`. `'
`- Proudly running Debian GNU/Linux
--- End Message ---
