Apache authentication modules

From: Matt Moore (mattat_private)
Date: Mon Sep 03 2001 - 03:32:27 PDT

  • Next message: Noam Rathaus: "Re: cisco password (analysis)"

    Hello list,
    
    I'm about to write a plugin for the recently discovered SQL injection
    attacks against various Apache authentication modules (RUS-CERT Advisory
    2001-08:01).
    
    Firstly, I wanted to check that I'm not duplicating effort; anyone already
    written one / currently writing one?
    
    The advisory lists 5 Apache modules that are vulnerable to SQL code
    injection. I would envisage the plugin simply making a request to the server
    and then examining the banner in the response for the appropriate strings:
    
    mod_auth_pg/1.2b2
    mod_auth_mysql/1.9
    mod_auth_oracle/0.5.1
    mod_auth_pgsql/0.9.5
    mod_auth_pgsql_sys/0.9.4
    
    I don't have sufficient time to install all these modules and check whether
    the banner they return includes these strings. (I'll probably just test
    against mod_auth_mysql).
    
    Most Apache modules I've seen report the name and version in the banners. I
    was wondering whether anyone knew if the 'mod_whatever/version' string in
    the banner that Apache sends would be consistent across all the auth modules
    listed here - is anyone running these modules able to confirm that?
    
    Obviously, if the admin has set 'ServerTokens' to something other than Full
    in httpd.conf the plugin false negatives, but I'd say this was better than
    no check at all.
    
    thanks,
    
    Matt Moore
    



    This archive was generated by hypermail 2b30 : Mon Sep 03 2001 - 03:32:50 PDT