mod_auth_pgsql Format String Bugs Let Remote Users Execute Arbitrary Code
|
|
SecurityTracker Alert ID: 1015446 |
|
SecurityTracker URL: http://securitytracker.com/id/1015446
|
|
CVE Reference:
CVE-2005-3656
(Links to External Site)
|
Date: Jan 6 2006
|
Impact:
Execution of arbitrary code via network, User access via network
|
|
|
Description:
A vulnerability was reported in mod_auth_pgsql. A remote user may be able to execute arbitrary code on the target system.
A user can supply specially crafted information to trigger a format string flaw in mod_auth_pgsql in the logging of information. It may be possible to execute arbitrary code on the target system.
Only systems that mod_auth_pgsql installed and configured to perform user authentication against a PostgreSQL database are affected.
Red Hat credited iDEFENSE with reporting this vulnerability.
|
Impact:
A remote user may be able to execute arbitrary code on the target system.
|
Solution:
No upstream solution was available at the time of this entry.
|
Cause:
Input validation error, State error
|
Underlying OS:
Linux (Any), UNIX (Any)
|
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Thu, 5 Jan 2006 22:39:41 -0500
Subject: mod_auth_pgsql vulnerability
|
Red Hat reported:
Several format string flaws were found in the way mod_auth_pgsql logs
information. It may be possible for a remote attacker to execute arbitrary
code as the 'apache' user if mod_auth_pgsql is used for user
authentication. The Common Vulnerabilities and Exposures project assigned
the name CVE-2005-3656 to this issue.
Please note that this issue only affects servers which have mod_auth_pgsql
installed and configured to perform user authentication against a
PostgreSQL database.
|
|
