mod_auth_pgsql Format String Bugs Let Remote Users Execute Arbitrary Code
|
|
SecurityTracker Alert ID: 1015446
|
|
SecurityTracker URL: http://securitytracker.com/id?1015446
|
|
CVE Reference: CVE-2005-3656
(Links to External Site)
|
Date: Jan 6 2006
|
Impact: Execution of arbitrary code via network, User access via network
|
Description: A vulnerability was reported in mod_auth_pgsql. A remote user may be able to execute arbitrary code on the target system.
A user can supply specially crafted information to trigger a format string flaw in mod_auth_pgsql in the logging of information.
It may be possible to execute arbitrary code on the target system.
Only systems that mod_auth_pgsql installed and configured
to perform user authentication against a PostgreSQL database are affected.
Red Hat credited iDEFENSE with reporting this vulnerability.
|
Impact: A remote user may be able to execute arbitrary code on the target system.
|
Solution: No upstream solution was available at the time of this entry.
|
Cause: Input validation error, State error
|
Underlying OS: Linux (Any), UNIX (Any)
|
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Thu, 5 Jan 2006 22:39:41 -0500
Subject: mod_auth_pgsql vulnerability
|
Red Hat reported:
Several format string flaws were found in the way mod_auth_pgsql logs
information. It may be possible for a remote attacker to execute arbitrary
code as the 'apache' user if mod_auth_pgsql is used for user
authentication. The Common Vulnerabilities and Exposures project assigned
the name CVE-2005-3656 to this issue.
Please note that this issue only affects servers which have mod_auth_pgsql
installed and configured to perform user authentication against a
PostgreSQL database.
|
|
