[FUGSPBR] Fw: FreeBSD Ports Security Advisory FreeBSD-SA-02:03.mod_auth_pgsql

Vitor de M. Carvalho vitor em softinfo.com.br
Sex Jan 4 23:44:42 BRST 2002 


 Atenciosamente,
 Vitor de M. Carvalho
 System Network Administrator - Softinfo Network
 FreeBSD - The Power To Serve
 ICQ - 41747397


----- Original Message -----
From: "FreeBSD Security Advisories" <security-advisories em FreeBSD.ORG>
To: "FreeBSD Security Advisories" <security-advisories em FreeBSD.ORG>
Sent: Friday, January 04, 2002 11:04 PM
Subject: FreeBSD Ports Security Advisory FreeBSD-SA-02:03.mod_auth_pgsql


> -----BEGIN PGP SIGNED MESSAGE-----
>
>
============================================================================
=
> FreeBSD-SA-02:03                                            Security
Advisory
>                                                                 FreeBSD,
Inc.
>
> Topic:          mod_auth_pgsql port authentication bypass
>
> Category:       ports
> Module:         mod_auth_pgsql
> Announced:      2002-01-04
> Credits:        RUS CERT <URL:http://cert.uni-stuttgart.de/>
> Affects:        Ports collection prior to the correction date
> Corrected:      2001-10-02 11:33:49 UTC
> FreeBSD only:   NO
>
> I.   Background
>
> mod_auth_pgsql is an Apache module which allows the Apache web server
> to use a PostgreSQL database for user and/or group authentication.
>
> II.  Problem Description
>
> The mod_auth_pgsql port, versions prior to mod_auth_pgsql-0.9.9,
> contain a vulnerability that may allow a remote user to cause
> arbitrary SQL code to be execute.  mod_auth_pgsql constructs a SQL
> statement to be executed by the PostgreSQL server in order to lookup
> user information.  The username given by the remote user is inserted
> into the SQL statement without any quoting or other safety checks.
>
> The mod_auth_pgsql port is not installed by default, nor is it "part of
> FreeBSD" as such: it is part of the FreeBSD ports collection, which
> contains over 6000 third-party applications in a ready-to-install
> format. The ports collection shipped with FreeBSD 4.4 contains this
> problem since it was discovered after the release.
>
> FreeBSD makes no claim about the security of these third-party
> applications, although an effort is underway to provide a security
> audit of the most security-critical ports.
>
> III. Impact
>
> A remote user may insert arbitrary SQL code into the username during
> authentication, leading to several exploit opportunities.  In
> particular, the attacker may cause mod_auth_pgsql to use a known fixed
> password hash for user verification, allowing him to authenticate as
> any user and obtain unauthorized access to web server data.
>
> IV.  Workaround
>
> 1) Deinstall the mod_auth_pgsql port/package if you have it installed.
>
> V.   Solution
>
> 1) Upgrade your entire ports collection and rebuild the port.
>
> 2) Deinstall the old package and install a new package dated after the
> correction date, obtained from the following directories:
>
> [i386]
>
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/www/mod_auth_
pgsql-0.9.9.tgz
>
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/www/mod_auth
_pgsql-0.9.9.tgz
>
> [alpha]
> Packages are not automatically generated for the alpha architecture at
> this time due to lack of build resources.
>
> 3) Download a new port skeleton for the mod_auth_pgsql port from:
>
> http://www.freebsd.org/ports/
>
> and use it to rebuild the port.
>
> 4) Use the portcheckout utility to automate option (3) above. The
> portcheckout port is available in /usr/ports/devel/portcheckout or the
> package can be obtained from:
>
>
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portche
ckout-2.0.tgz
>
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portch
eckout-2.0.tgz
>
> VI.  Correction details
>
> The following list contains the $FreeBSD$ revision numbers of each
> file that was corrected in the FreeBSD source
>
> Path                                                             Revision
> - ------------------------------------------------------------------------
-
> ports/www/mod_auth_pgsql/Makefile                                     1.3
> ports/www/mod_auth_pgsql/distinfo                                     1.2
> - ------------------------------------------------------------------------
-
>
> VII. References
>
> <URL:http://cert.uni-stuttgart.de/advisories/apache_auth.php>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.0.6 (FreeBSD)
> Comment: For info see http://www.gnupg.org
>
> iQCVAwUBPDZOBVUuHi5z0oilAQHfNgQAgp9FKI4P0XfSzBdbcdOnqPCBJji4TPLS
> gENpCcvT55dWcGjYr0XsJrsk1NhF3Qq0TR8CnN2OmWaxx1ugoqwdc6o0vqzYIQ5H
> DAwBK4tbYOBYmram7A+0VBbTxPlHTnTop56i3/w2xaxafMHdlrzB2zCO7pimU83i
> 2MAKa0dLwS4=
> =l5iu
> -----END PGP SIGNATURE-----
>
> To Unsubscribe: send mail to majordomo em FreeBSD.org
> with "unsubscribe freebsd-security-notifications" in the body of the
message
>

----
Para sair da lista envie um e-mail para majordomo em fugspbr.org
com as palavras "unsubscribe fugspbr" no corpo da mensagem.

Mais detalhes sobre a lista de discussão freebsd