Hello list, I'm about to write a plugin for the recently discovered SQL injection attacks against various Apache authentication modules (RUS-CERT Advisory 2001-08:01). Firstly, I wanted to check that I'm not duplicating effort; anyone already written one / currently writing one? The advisory lists 5 Apache modules that are vulnerable to SQL code injection. I would envisage the plugin simply making a request to the server and then examining the banner in the response for the appropriate strings: mod_auth_pg/1.2b2 mod_auth_mysql/1.9 mod_auth_oracle/0.5.1 mod_auth_pgsql/0.9.5 mod_auth_pgsql_sys/0.9.4 I don't have sufficient time to install all these modules and check whether the banner they return includes these strings. (I'll probably just test against mod_auth_mysql). Most Apache modules I've seen report the name and version in the banners. I was wondering whether anyone knew if the 'mod_whatever/version' string in the banner that Apache sends would be consistent across all the auth modules listed here - is anyone running these modules able to confirm that? Obviously, if the admin has set 'ServerTokens' to something other than Full in httpd.conf the plugin false negatives, but I'd say this was better than no check at all. thanks, Matt Moore
This archive was generated by hypermail 2b30 : Mon Sep 03 2001 - 03:32:50 PDT