Mailing List Archive

Apache authentication modules
Hello list,

I'm about to write a plugin for the recently discovered SQL injection
attacks against various Apache authentication modules (RUS-CERT Advisory
2001-08:01).

Firstly, I wanted to check that I'm not duplicating effort; anyone already
written one / currently writing one?

The advisory lists 5 Apache modules that are vulnerable to SQL code
injection. I would envisage the plugin simply making a request to the server
and then examining the banner in the response for the appropriate strings:

mod_auth_pg/1.2b2
mod_auth_mysql/1.9
mod_auth_oracle/0.5.1
mod_auth_pgsql/0.9.5
mod_auth_pgsql_sys/0.9.4

I don't have sufficient time to install all these modules and check whether
the banner they return includes these strings. (I'll probably just test
against mod_auth_mysql).

Most Apache modules I've seen report the name and version in the banners. I
was wondering whether anyone knew if the 'mod_whatever/version' string in
the banner that Apache sends would be consistent across all the auth modules
listed here - is anyone running these modules able to confirm that?

Obviously, if the admin has set 'ServerTokens' to something other than Full
in httpd.conf the plugin false negatives, but I'd say this was better than
no check at all.

thanks,

Matt Moore
Re: Apache authentication modules [ In reply to ]
On Mon, Sep 03, 2001 at 11:32:27AM +0100, Matt Moore wrote:
> The advisory lists 5 Apache modules that are vulnerable to SQL code
> injection. I would envisage the plugin simply making a request to the server
> and then examining the banner in the response for the appropriate strings:
>
> mod_auth_pg/1.2b2
> mod_auth_mysql/1.9
> mod_auth_oracle/0.5.1
> mod_auth_pgsql/0.9.5
> mod_auth_pgsql_sys/0.9.4
>
> I don't have sufficient time to install all these modules and check whether
> the banner they return includes these strings. (I'll probably just test
> against mod_auth_mysql).

I'll install mod_auth_pgsql and mod_auth_pgsql_sys (if that's postgres
:)



-- Renaud