|Check Point Reference:||CPAI-2006-014|
|Date Published:||12 Feb 2006|
|Last Updated:||8 May 2007|
|Source:||iDEFENSE ADVISORY: 01.09.06|
|Protection Provided by:|
|Who is Vulnerable?||version 2.0.2b1 of mod_auth_pgsql for Apache 2.x|
|Vulnerability Description||A vulnerability exists in multiple versions of an authentication module (mod_auth_pgsql) for Apache httpd. To exploit this vulnerability, a user can supply specially crafted information to trigger a flaw in certain logging functions of the module. Successful exploitation could result in the execution of arbitrary code on the target system.
This module is not installed by default, but is available as a package from some vendors, including Red Hat Linux, Debian GNU/Linux and FreeBSD. Only systems that have the mod_auth_pgsql module installed and are configured to authenticate against a PostgreSQL database using this module are affected.
|Vulnerability Details||The mod_auth_pgsql module for the Apache httpd is a third party authentication module which allows authentication details to be stored in a PostgreSQL database. To exploit the vulnerability, the attacker must know the URI of at least one resource on the Web server which authenticates using this module.|