CVE-2005-3656
CVSS10.0
发布时间 :2005-12-31 00:00:00
修订时间 :2011-03-07 00:00:00
NMCOPS    

[原文]Multiple format string vulnerabilities in logging functions in mod_auth_pgsql before 2.0.3, when used for user authentication against a PostgreSQL database, allows remote unauthenticated attackers to execute arbitrary code, as demonstrated via the username.


[CNNVD]多家厂商mod_auth_pgsql格式串处理漏洞(CNNVD-200512-729)

        mod_auth_pgsql apache模块允许对PostgreSQL数据库中存储的数据执行用户认证。
        mod_auth_pgsql apache模块在处理日志记录时存在漏洞,远程攻击者可能利用此漏洞在主机上执行任意指令。
        由于一个设计错误,mod_auth_pgsql模块中的多个日志函数将用户提供的值用作了格式指示符的输入,例如:
         ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, pg_errstr);
        如果这部分错误消息中包含有格式串指示符,就会对其进行处理。例如,如果用户名为"%x%x%x%x%x"的话,则目标httpd的error_log文件中就会出现类似于以下的内容:
        [Tue Sep 23 11:34:38 2005] [error] [client 10.1.10.11] mod_auth_pgsql:
         Password for user 406869a083b3c900083b3cb3 not found (PG-Authoritative)
        16进制字符的序列是ap_log_rerror()函数将输入字符串解析为格式串的结果,包含有栈中的值。如果提供的名称可以导致无效的内存访问的话,子进程就会退出,留下类似于以下的错误日志:
        [Tue Sep 24 11:25:53 2005] [notice] child pid 12345 exit signal
         Segmentation fault (11)
        成功利用这个漏洞的攻击者可以在httpd环境中执行任意代码。

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CWE (弱点类目)

CWE-134 []

- CPE (受影响的平台与产品)

cpe:/a:guiseppe_tanzilli_and_matthias_eckermann:mod_auth_pgsql:0.9.5
cpe:/a:guiseppe_tanzilli_and_matthias_eckermann:mod_auth_pgsql:2.0.3
cpe:/a:guiseppe_tanzilli_and_matthias_eckermann:mod_auth_pgsql:0.9.6

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:10600Multiple format string vulnerabilities in logging functions in mod_auth_pgsql before 2.0.3, when used for user authentication against a Post...
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3656
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-3656
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200512-729
(官方数据源) CNNVD

- 其它链接及资源

http://www.ubuntulinux.org/support/documentation/usn/usn-239-1
(PATCH)  UBUNTU  USN-239-1
http://www.trustix.org/errata/2006/0002/
(PATCH)  TRUSTIX  2006-0002
http://www.securityfocus.com/bid/16153
(PATCH)  BID  16153
http://www.redhat.com/support/errata/RHSA-2006-0164.html
(PATCH)  REDHAT  RHSA-2006:0164
http://www.redhat.com/archives/fedora-announce-list/2006-January/msg00016.html
(PATCH)  CONFIRM  http://www.redhat.com/archives/fedora-announce-list/2006-January/msg00016.html
http://www.redhat.com/archives/fedora-announce-list/2006-January/msg00015.html
(PATCH)  CONFIRM  http://www.redhat.com/archives/fedora-announce-list/2006-January/msg00015.html
http://www.idefense.com/intelligence/vulnerabilities/display.php?id=367
(VENDOR_ADVISORY)  IDEFENSE  20060109 Multiple Vendor mod_auth_pgsql Format String Vulnerability
http://www.giuseppetanzilli.it/mod%5Fauth%5Fpgsql2/
(PATCH)  CONFIRM  http://www.giuseppetanzilli.it/mod%5Fauth%5Fpgsql2/
http://www.gentoo.org/security/en/glsa/glsa-200601-05.xml
(VENDOR_ADVISORY)  GENTOO  GLSA-200601-05
http://www.debian.de/security/2006/dsa-935
(VENDOR_ADVISORY)  DEBIAN  DSA-935
http://securitytracker.com/id?1015446
(PATCH)  SECTRACK  1015446
http://secunia.com/advisories/18517
(VENDOR_ADVISORY)  SECUNIA  18517
http://secunia.com/advisories/18463
(VENDOR_ADVISORY)  SECUNIA  18463
http://secunia.com/advisories/18403
(VENDOR_ADVISORY)  SECUNIA  18403
http://secunia.com/advisories/18397
(VENDOR_ADVISORY)  SECUNIA  18397
http://secunia.com/advisories/18350
(VENDOR_ADVISORY)  SECUNIA  18350
http://secunia.com/advisories/18348
(VENDOR_ADVISORY)  SECUNIA  18348
http://secunia.com/advisories/18347
(VENDOR_ADVISORY)  SECUNIA  18347
http://secunia.com/advisories/18321
(VENDOR_ADVISORY)  SECUNIA  18321
http://secunia.com/advisories/18304
(VENDOR_ADVISORY)  SECUNIA  18304
ftp://patches.sgi.com/support/free/security/advisories/20060101-01-U
(PATCH)  SGI  20060101-01-U
http://www.vupen.com/english/advisories/2006/0070
(UNKNOWN)  VUPEN  ADV-2006-0070
http://www.mandriva.com/security/advisories?name=MDKSA-2006:009
(UNKNOWN)  MANDRIVA  MDKSA-2006:009

- 漏洞信息

多家厂商mod_auth_pgsql格式串处理漏洞
危急 格式化字符串
2005-12-31 00:00:00 2006-06-05 00:00:00
远程  
        mod_auth_pgsql apache模块允许对PostgreSQL数据库中存储的数据执行用户认证。
        mod_auth_pgsql apache模块在处理日志记录时存在漏洞,远程攻击者可能利用此漏洞在主机上执行任意指令。
        由于一个设计错误,mod_auth_pgsql模块中的多个日志函数将用户提供的值用作了格式指示符的输入,例如:
         ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, pg_errstr);
        如果这部分错误消息中包含有格式串指示符,就会对其进行处理。例如,如果用户名为"%x%x%x%x%x"的话,则目标httpd的error_log文件中就会出现类似于以下的内容:
        [Tue Sep 23 11:34:38 2005] [error] [client 10.1.10.11] mod_auth_pgsql:
         Password for user 406869a083b3c900083b3cb3 not found (PG-Authoritative)
        16进制字符的序列是ap_log_rerror()函数将输入字符串解析为格式串的结果,包含有栈中的值。如果提供的名称可以导致无效的内存访问的话,子进程就会退出,留下类似于以下的错误日志:
        [Tue Sep 24 11:25:53 2005] [notice] child pid 12345 exit signal
         Segmentation fault (11)
        成功利用这个漏洞的攻击者可以在httpd环境中执行任意代码。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复此安全问题,补丁获取链接:
        ftp://updates.redhat.com/enterprise/3AS/en/os/SRPMS/mod_a
        http://www.giuseppetanzilli.it/mod_auth_pgsql2/dist/

- 漏洞信息 (F42967)

Debian Linux Security Advisory 935-1 (PacketStormID:F42967)
2006-01-11 00:00:00
Debian  debian.org
advisory,web,arbitrary
linux,debian
CVE-2005-3656
[点击下载]

Debian Security Advisory DSA 935-1 - iDEFENSE reports that a format string vulnerability in mod_auth_pgsql, a library used to authenticate web users against a PostgreSQL database, could be used to execute arbitrary code with the privileges of the httpd user.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 935-1                     security@debian.org
http://www.debian.org/security/                              Michael Stone
January 10, 2006                        http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package        : libapache2-mod-auth-pgsql
Vulnerability  : format string vulnerability
Problem-Type   : remote
Debian-specific: no
CVE ID         : CVE-2005-3656
Debian Bug     : 307852

iDEFENSE reports that a format string vulnerability in mod_auth_pgsql, a
library used to authenticate web users against a PostgreSQL database,
could be used to execute arbitrary code with the privileges of the httpd
user.

The old stable distribution (woody) does not contain
libapache2-mod-auth-pgsql.

For the stable distribution (sarge) this problem has been fixed in
version 2.0.2b1-5sarge0.

For the unstable distribution (sid) this problem will be fixed shortly.

We recommend that you upgrade your libapache2-mod-auth-pgsql package.


Upgrade Instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.1 alias sarge
- --------------------------------

  Source archives:

    http://security.debian.org/pool/updates/main/liba/libapache2-mod-auth-pgsql/libapache2-mod-auth-pgsql_2.0.2b1-5sarge0.dsc
      Size/MD5 checksum:      718 64320b302321622c1007810e18f6559a
    http://security.debian.org/pool/updates/main/liba/libapache2-mod-auth-pgsql/libapache2-mod-auth-pgsql_2.0.2b1-5sarge0.diff.gz
      Size/MD5 checksum:     5031 400a8ca9689409375c56eafe38a957a7
    http://security.debian.org/pool/updates/main/liba/libapache2-mod-auth-pgsql/libapache2-mod-auth-pgsql_2.0.2b1.orig.tar.gz
      Size/MD5 checksum:    15928 e2c032df0cd7e4a46381dcf6e488efe9

  Alpha architecture:

    http://security.debian.org/pool/updates/main/liba/libapache2-mod-auth-pgsql/libapache2-mod-auth-pgsql_2.0.2b1-5sarge0_alpha.deb
      Size/MD5 checksum:    20410 4e2c27c73a6ca3ca70713e31842c01ca

  AMD64 architecture:

    http://security.debian.org/pool/updates/main/liba/libapache2-mod-auth-pgsql/libapache2-mod-auth-pgsql_2.0.2b1-5sarge0_amd64.deb
      Size/MD5 checksum:    20040 9b542446b7336c88c2ffabdad730b74f

  ARM architecture:

    http://security.debian.org/pool/updates/main/liba/libapache2-mod-auth-pgsql/libapache2-mod-auth-pgsql_2.0.2b1-5sarge0_arm.deb
      Size/MD5 checksum:    18806 fcf3a9529b0b2af5a67237360c60f554

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/liba/libapache2-mod-auth-pgsql/libapache2-mod-auth-pgsql_2.0.2b1-5sarge0_i386.deb
      Size/MD5 checksum:    19406 f869e108de0839dcdcc2ee9459a8848d

  Intel IA-64 architecture:

    http://security.debian.org/pool/updates/main/liba/libapache2-mod-auth-pgsql/libapache2-mod-auth-pgsql_2.0.2b1-5sarge0_ia64.deb
      Size/MD5 checksum:    22282 018e612149c4d4a2cb139ee91b972cae

  HP Precision architecture:

    http://security.debian.org/pool/updates/main/liba/libapache2-mod-auth-pgsql/libapache2-mod-auth-pgsql_2.0.2b1-5sarge0_hppa.deb
      Size/MD5 checksum:    20686 dc84765b12cb57c7c2b68d9f875d8f07

  Motorola 680x0 architecture:

    http://security.debian.org/pool/updates/main/liba/libapache2-mod-auth-pgsql/libapache2-mod-auth-pgsql_2.0.2b1-5sarge0_m68k.deb
      Size/MD5 checksum:    18944 ab3c2f517273d868d8dd3fcf9b78ea0a

  Big endian MIPS architecture:

    http://security.debian.org/pool/updates/main/liba/libapache2-mod-auth-pgsql/libapache2-mod-auth-pgsql_2.0.2b1-5sarge0_mips.deb
      Size/MD5 checksum:    18884 cfed58fc3dd4bc0e7b635f048b9ef317

  Little endian MIPS architecture:

    http://security.debian.org/pool/updates/main/liba/libapache2-mod-auth-pgsql/libapache2-mod-auth-pgsql_2.0.2b1-5sarge0_mipsel.deb
      Size/MD5 checksum:    18860 dc5b1b912b0fcf62d2a8edc7a5a9fa52

  PowerPC architecture:

    http://security.debian.org/pool/updates/main/liba/libapache2-mod-auth-pgsql/libapache2-mod-auth-pgsql_2.0.2b1-5sarge0_powerpc.deb
      Size/MD5 checksum:    20710 bdc297d45748433b2adcd3ac962612a3

  IBM S/390 architecture:

    http://security.debian.org/pool/updates/main/liba/libapache2-mod-auth-pgsql/libapache2-mod-auth-pgsql_2.0.2b1-5sarge0_s390.deb
      Size/MD5 checksum:    19840 798db337084461ee60239274cf89f4e0

  Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/liba/libapache2-mod-auth-pgsql/libapache2-mod-auth-pgsql_2.0.2b1-5sarge0_sparc.deb
      Size/MD5 checksum:    19006 6cd6c8809599feec59df63281adcfd7b

  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iQCVAwUBQ8PA1w0hVr09l8FJAQLO4gP/bcWvK6fu6xhF2yqPgMWgPi5bJTf78oAM
d63Rgz4ahDE4GYAz9LBOiQS88kjfY3SmzEKx/Y/Krwrsms62xVnPs46UYiRwqG8B
ht2PlbUscAmHKR5ydw8ZeIul+uuzXZDRADrcGCMvJ0K09V+1b3OYJKPQhtQ6gckI
ju4vUZkuxIg=
=LqUx
-----END PGP SIGNATURE-----

    

- 漏洞信息 (F42934)

iDEFENSE Security Advisory 2006-01-09.t (PacketStormID:F42934)
2006-01-10 00:00:00
iDefense Labs,Sparfell  idefense.com
advisory,remote,arbitrary
CVE-2005-3656
[点击下载]

iDefense Security Advisory 01.09.06 - Remote exploitation of a format string vulnerability in multiple versions of the mod_auth_pgsql authentication module for the Apache httpd could allow the execution of arbitrary code in the context of the httpd. iDefense has confirmed the existence of this vulnerability in version 2.0.2b1 of mod_auth_pgsql for Apache 2.x. It is suspected that earlier versions are also affected.

Multiple Vendor mod_auth_pgsql Format String Vulnerability

iDefense Security Advisory 01.09.06
http://www.idefense.com/intelligence/vulnerabilities/display.php?id=367
January 09, 2006

I. BACKGROUND

The mod_auth_pgsql apache module allows user authentication against
information stored in a PostgreSQL database. More information can be
found at the following site:

    http://www.giuseppetanzilli.it/mod_auth_pgsql2/

II. DESCRIPTION

Remote exploitation of a format string vulnerability in multiple
versions of the mod_auth_pgsql authentication module for the Apache
httpd could allow the execution of arbitrary code in the context of the
httpd.

The mod_auth_pgsql module for the Apache httpd is a third party
authentication module which allows authentication details to be stored
in a PostgreSQL database. Although this is a third party module, it is
available as a package for several distributions, including Red Hat
Linux, Debian GNU/Linux and FreeBSD.

Due to a design error, many of the logging functions in this module take
user supplied values as input to the format specifier. An example of
this is shown below:

    ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, pg_errstr);

When part of the error message contains a format string specifier it is
processed. For example, for the username "%x%x%x%x%x", output  similar
to the following may appear in the 'error_log' file for the  targetted
httpd:

[Tue Sep 23 11:34:38 2005] [error] [client 10.1.10.11] mod_auth_pgsql:
 Password for user 406869a083b3c900083b3cb3 not found (PG-Authoritative)

The sequence of hex characters is the result of the ap_log_rerror()
function parsing the input string as a format string, and contains
values from the stack. When the name supplied causes an invalid memory
access, the child process may exit with a logged error similar to:

[Tue Sep 24 11:25:53 2005] [notice] child pid 12345 exit signal
 Segmentation fault (11)

III. ANALYSIS

Successful exploitation allows remote attackers to gain local access to
the vulnerable system in the context of the affected httpd. In order to
exploit this vulnerability, the attacker must know the URI of at least
one reource on the web server which is configured to use this module for
authentication. This module is not installed by default, but is
available as a package from some vendors, including Red Hat. Additional
configuration is required before the module is active after installing.

While format string exploit techniques are well documented, most
discussions of and exploits for vulnerabilities containing them rely on
the user supplied string being located on the stack. The reason for
this is that it allows the attacker to directly supply pointers to the
memory locations they wish to modify via the %n format specifier. As
this module does not store the format string on the stack, this may make
exploitation more difficult as techniques for exploiting this kind of
format string are not as commonly known. However, such information is
publicly available.

Successful exploitation would allow a remote unauthenticated user access
to an affected system with the permissions of the httpd itself.

IV. DETECTION

iDefense has confirmed the existence of this vulnerability in version
2.0.2b1 of mod_auth_pgsql for Apache 2.x. It is suspected that earlier
versions are also affected.

V. WORKAROUND

Disable the module, and use another form of authentication for the
affected resource.

In order to disable the module on Red Hat systems, execute the following
commands as root:

  cd /etc/httpd/conf.d
  mv auth_pgsql.conf auth_pgsql.disabled

If you have any '.htaccess' files, you may also have to disable any
authentication with references to mod_auth_pgsql directives. These
directives all start with 'Auth_PG_'.

At this point, you should add another authentication method for the
resources that were protected by this module. The exact operations to
perform are dependant on which authentication method you choose to use.

After performing these steps, restart the httpd by executing the
following command as root:

  /sbin/service httpd restart

For other distributions, the general steps are the same (disable the
module, add another form of authentication, and restart the httpd),
however the details may vary slightly.

VI. VENDOR RESPONSE

The maintainer has released mod_auth_pgsql 2.0.3 to address this
vulnerability, which is available for download at:

  http://www.giuseppetanzilli.it/mod_auth_pgsql2/dist/
 
Red Hat, Inc:

Updates are available for Red Hat Enterprise Linux 3 and 4 to correct
this issue.  Red Hat Enterprise Linux 2.1 was not affected by this
issue. New mod_auth_pgsql packages along with our advisory are available
at the URL below and by using the Red Hat Network 'up2date' tool.
 
 https://rhn.redhat.com/errata/RHSA-2006-0164.html

Updates are available for Fedora Core 3 and 4 to correct this issue.
 
 www.redhat.com/archives/fedora-announce-list/2006-January/msg00016.html
 www.redhat.com/archives/fedora-announce-list/2006-January/msg00015.html

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2005-3656 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

11/15/2005  Initial vendor notification
11/22/2005  Initial vendor response
01/09/2006  Coordinated public disclosure

IX. CREDIT

The discovery of this vulnerability is credited to Sparfell.

Get paid for vulnerability research
http://www.idefense.com/poi/teams/vcp.jsp

Free tools, research and upcoming events
http://labs.idefense.com

X. LEGAL NOTICES

Copyright     

- 漏洞信息 (F42920)

Ubuntu Security Notice 239-1 (PacketStormID:F42920)
2006-01-10 00:00:00
Ubuntu  security.ubuntu.com
advisory,remote,arbitrary,vulnerability
linux,ubuntu
CVE-2005-3656
[点击下载]

Ubuntu Security Notice USN-239-1 - Several format string vulnerabilities were discovered in the error logging handling of libapache2-mod-auth-pgsql. By sending specially crafted user names, an unauthenticated remote attacker could exploit this to crash the Apache server or possibly even execute arbitrary code with the privileges of Apache.

===========================================================
Ubuntu Security Notice USN-239-1	   January 09, 2006
libapache2-mod-auth-pgsql vulnerability
CVE-2005-3656
===========================================================

A security issue affects the following Ubuntu releases:

Ubuntu 4.10 (Warty Warthog)
Ubuntu 5.04 (Hoary Hedgehog)
Ubuntu 5.10 (Breezy Badger)

The following packages are affected:

libapache2-mod-auth-pgsql

The problem can be corrected by upgrading the affected package to
version 2.0.2b1-2ubuntu0.1 (for Ubuntu 4.10), 2.0.2b1-5ubuntu0.1 (for
Ubuntu 5.04), or 2.0.2b1-6ubuntu0.1 (for Ubuntu 5.10).  After a
standard system upgrade you need to restart the Apache 2 server to
effect the necessary changes:

  sudo /etc/init.d/apache2 restart

Details follow:

Several format string vulnerabilities were discovered in the error
logging handling. By sending specially crafted user names, an
unauthenticated remote attacker could exploit this to crash the Apache
server or possibly even execute arbitrary code with the privileges of
Apache (user 'www-data').

Updated packages for Ubuntu 4.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/liba/libapache2-mod-auth-pgsql/libapache2-mod-auth-pgsql_2.0.2b1-2ubuntu0.1.diff.gz
      Size/MD5:     3333 92b6b02989c62a28214e6691ff09bb50
    http://security.ubuntu.com/ubuntu/pool/main/liba/libapache2-mod-auth-pgsql/libapache2-mod-auth-pgsql_2.0.2b1-2ubuntu0.1.dsc
      Size/MD5:      709 d4c469c2bc7fe0735ba9f59a504ff554
    http://security.ubuntu.com/ubuntu/pool/main/liba/libapache2-mod-auth-pgsql/libapache2-mod-auth-pgsql_2.0.2b1.orig.tar.gz
      Size/MD5:    15928 e2c032df0cd7e4a46381dcf6e488efe9

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/liba/libapache2-mod-auth-pgsql/libapache2-mod-auth-pgsql_2.0.2b1-2ubuntu0.1_amd64.deb
      Size/MD5:    19802 b1e6729a94175772ee2cac63ea2da13d

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/liba/libapache2-mod-auth-pgsql/libapache2-mod-auth-pgsql_2.0.2b1-2ubuntu0.1_i386.deb
      Size/MD5:    18974 178de9440075d3694ed1f4af72773daa

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/liba/libapache2-mod-auth-pgsql/libapache2-mod-auth-pgsql_2.0.2b1-2ubuntu0.1_powerpc.deb
      Size/MD5:    20368 e872d0f306e7906b9d4205b9e24eff8e

Updated packages for Ubuntu 5.04:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/liba/libapache2-mod-auth-pgsql/libapache2-mod-auth-pgsql_2.0.2b1-5ubuntu0.1.diff.gz
      Size/MD5:     5078 c95a57458bc15935390275860fc65894
    http://security.ubuntu.com/ubuntu/pool/main/liba/libapache2-mod-auth-pgsql/libapache2-mod-auth-pgsql_2.0.2b1-5ubuntu0.1.dsc
      Size/MD5:      724 d32ade3227241ac2b26d70f755d0bdfe
    http://security.ubuntu.com/ubuntu/pool/main/liba/libapache2-mod-auth-pgsql/libapache2-mod-auth-pgsql_2.0.2b1.orig.tar.gz
      Size/MD5:    15928 e2c032df0cd7e4a46381dcf6e488efe9

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/liba/libapache2-mod-auth-pgsql/libapache2-mod-auth-pgsql_2.0.2b1-5ubuntu0.1_amd64.deb
      Size/MD5:    20104 4c7840fa3e2c912f926e025be838b011

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/liba/libapache2-mod-auth-pgsql/libapache2-mod-auth-pgsql_2.0.2b1-5ubuntu0.1_i386.deb
      Size/MD5:    19270 e07b1d6409abe38dc4fa3f67701846e1

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/liba/libapache2-mod-auth-pgsql/libapache2-mod-auth-pgsql_2.0.2b1-5ubuntu0.1_powerpc.deb
      Size/MD5:    20738 b6feefa3f30174ae9368af78eed30b6f

Updated packages for Ubuntu 5.10:

  Source archives:

    http://security.ubuntu.com/ubuntu/pool/main/liba/libapache2-mod-auth-pgsql/libapache2-mod-auth-pgsql_2.0.2b1-6ubuntu0.1.diff.gz
      Size/MD5:     5173 33ce214fcaa05c8bde42809d9407368b
    http://security.ubuntu.com/ubuntu/pool/main/liba/libapache2-mod-auth-pgsql/libapache2-mod-auth-pgsql_2.0.2b1-6ubuntu0.1.dsc
      Size/MD5:      708 ded1588c8d8cf28128cde3d71f567201
    http://security.ubuntu.com/ubuntu/pool/main/liba/libapache2-mod-auth-pgsql/libapache2-mod-auth-pgsql_2.0.2b1.orig.tar.gz
      Size/MD5:    15928 e2c032df0cd7e4a46381dcf6e488efe9

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)

    http://security.ubuntu.com/ubuntu/pool/main/liba/libapache2-mod-auth-pgsql/libapache2-mod-auth-pgsql_2.0.2b1-6ubuntu0.1_amd64.deb
      Size/MD5:    20348 68f6cfd60cbf7e6f2cad792bfaf5177a

  i386 architecture (x86 compatible Intel/AMD)

    http://security.ubuntu.com/ubuntu/pool/main/liba/libapache2-mod-auth-pgsql/libapache2-mod-auth-pgsql_2.0.2b1-6ubuntu0.1_i386.deb
      Size/MD5:    19092 52712f3b790ea61ef60aa8734d55baac

  powerpc architecture (Apple Macintosh G3/G4/G5)

    http://security.ubuntu.com/ubuntu/pool/main/liba/libapache2-mod-auth-pgsql/libapache2-mod-auth-pgsql_2.0.2b1-6ubuntu0.1_powerpc.deb
      Size/MD5:    21122 69d5ec8ec12d43c03dead9fee1135bab
    

- 漏洞信息

22259
mod_auth_pgsql for Apache HTTP Server Log Function Format String
Local / Remote, Context Dependent Input Manipulation
Loss of Integrity
Vendor Verified

- 漏洞描述

- 时间线

2006-01-05 Unknow
Unknow Unknow

- 解决方案

Upgrade to version 2.0.3 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Apache mod_auth_pgsql Multiple Format String Vulnerabilities
Input Validation Error 16153
Yes No
2006-01-06 12:00:00 2006-07-11 10:33:00
Discovery is credited to Sparfell.

- 受影响的程序版本

Ubuntu Ubuntu Linux 5.10 powerpc
Ubuntu Ubuntu Linux 5.10 i386
Ubuntu Ubuntu Linux 5.10 amd64
Ubuntu Ubuntu Linux 5.0 4 powerpc
Ubuntu Ubuntu Linux 5.0 4 i386
Ubuntu Ubuntu Linux 5.0 4 amd64
Ubuntu Ubuntu Linux 4.1 ppc
Ubuntu Ubuntu Linux 4.1 ia64
Ubuntu Ubuntu Linux 4.1 ia32
Trustix Secure Linux 3.0
Trustix Secure Linux 2.2
Trustix Secure Enterprise Linux 2.0
RedHat Enterprise Linux WS 4
RedHat Enterprise Linux WS 3
RedHat Enterprise Linux ES 4
RedHat Enterprise Linux ES 3
RedHat Desktop 4.0
RedHat Desktop 3.0
Red Hat Fedora Core4
Red Hat Fedora Core3
Red Hat Fedora Core2
Red Hat Fedora Core1
Red Hat Enterprise Linux AS 4
Red Hat Enterprise Linux AS 3
Nortel Networks VPN Router 2.0.2 b1
mod_auth_pgsql mod_auth_pgsql 2.0.1
Mandriva Linux Mandrake 2006.0 x86_64
Mandriva Linux Mandrake 2006.0
Mandriva Linux Mandrake 10.2 x86_64
Mandriva Linux Mandrake 10.2
Mandriva Linux Mandrake 10.1 x86_64
Mandriva Linux Mandrake 10.1
Debian Linux 3.1 sparc
Debian Linux 3.1 s/390
Debian Linux 3.1 ppc
Debian Linux 3.1 mipsel
Debian Linux 3.1 mips
Debian Linux 3.1 m68k
Debian Linux 3.1 ia-64
Debian Linux 3.1 ia-32
Debian Linux 3.1 hppa
Debian Linux 3.1 arm
Debian Linux 3.1 amd64
Debian Linux 3.1 alpha
Debian Linux 3.1
Conectiva Linux 10.0

- 漏洞讨论

The mod_auth_pgsql module is prone to multiple format-string vulnerabilities. These issues are due to the application's failure to properly sanitize user-supplied input before including it in the format-specification argument of formatted printing functions.

These issues could allow remote attackers to execute arbitrary code in the context of the webserver user and gain unauthorized access.

- 漏洞利用

Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com

- 解决方案

The vendor has released updates to address this issue. Please see the referenced vendor advisories for more information.


mod_auth_pgsql mod_auth_pgsql 2.0.1

Nortel Networks VPN Router 2.0.2 b1

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站