[Secure-testing-team] Bug#633637: Exploitable remotely: SQL injection

[Amaya Rodrigo Sastre]

Package: libapache2-mod-authnz-external
Version: 3.2.4-2
Severity: critical
Tags: security patch

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi there,

According to
http://code.google.com/p/mod-auth-external/issues/detail?id=5 there's a
possible remote sql injection bug. The fix is a two liner:

- --- trunk/mod_authnz_external/mysql/mysql-auth.pl
+++ trunk/mod_authnz_external/mysql/mysql-auth.pl
@@ -62,8 +62,10 @@
exit 1;
}

- -my $dbq = $dbh->prepare("select username as username, password as password from users where username=\'$user\';");
+my $dbq = $dbh->prepare("select username as username, password as password from users where username=?;");
+$dbq->bind_param(1, $user);
$dbq->execute;
+
my $row = $dbq->fetchrow_hashref();

if ($row->{username} eq "") {


Thanks!


- -- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing'), (100, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.39-2-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages libapache2-mod-authnz-external depends on:
ii  apache2.2-common              2.2.19-1   Apache HTTP Server common files
pn  libc6                         <none>     (no description available)

Versions of packages libapache2-mod-authnz-external recommends:
ii  pwauth                        2.3.8-1    authenticator for mod_authnz_exter

libapache2-mod-authnz-external suggests no packages.

- -- no debconf information

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iEYEARECAAYFAk4cMpUACgkQNFDtUT/MKpAAlwCgqrEBO0A+HUB4eLWSpOf5RUf7
kGkAoKTMd0zZUneJvsHnj7O+DfxXFbMZ
=w70I
-----END PGP SIGNATURE-----