Candidate: CVE-2008-2384
PublicDate: 2009-01-22 18:30:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2384
Description:
 SQL injection vulnerability in mod_auth_mysql.c in the mod-auth-mysql (aka
 libapache2-mod-auth-mysql) module for the Apache HTTP Server 2.x, when
 configured to use a multibyte character set that allows a \ (backslash) as
 part of the character encoding, allows remote attackers to execute
 arbitrary SQL commands via unspecified inputs in a login request.
Ubuntu-Description:
Notes:
 mdeslaur> Specifying an encoding was introduced by the 012-charset.dpatch
 mdeslaur> patch in 4.3.9-10. Since we don't support specifying an encoding
 mdeslaur> mysql won't decode the username and injection is not possible.
Bugs:
Priority: medium
Discovered-by: Martin Joey Schulze
Assigned-to:
CVSS: 

Patches_mod-auth-mysql:
 vendor: http://patch-tracking.debian.net/patch/series/view/mod-auth-mysql/4.3.9-11/013-CVE-2008-2384_charset
upstream_mod-auth-mysql: released (4.3.9-11)
dapper_mod-auth-mysql: DNE
gutsy_mod-auth-mysql: DNE
hardy_mod-auth-mysql: DNE
intrepid_mod-auth-mysql: not-affected (no encoding support)
devel_mod-auth-mysql: not-affected (4.3.9-11)

Patches_libapache-mod-auth-mysql:
upstream_libapache-mod-auth-mysql: released (4.3.9-11)
dapper_libapache-mod-auth-mysql: not-affected (no encoding support)
gutsy_libapache-mod-auth-mysql: not-affected (no encoding support)
hardy_libapache-mod-auth-mysql: not-affected (no encoding support)
intrepid_libapache-mod-auth-mysql: DNE
devel_libapache-mod-auth-mysql: DNE