| VID |
22194 |
| Severity |
40 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
WWW |
| Detailed Description |
The Apache mod_auth_any module is vulnerable to a remote command execution vulnerability.
mod_auth_any is a runtime module for the Apache HTTP Server. This module allows you to use any command line program (such as webNIS) to authenticate a user.
mod_auth_any package in some Linux and UNIX platforms does not properly escape shell characters when a username is supplied, and therefore a remote attacker may use this module to :
- Execute arbitrary commands on the remote host
- Bypass the authentication process completely
* References:
http://www.securityfocus.com/tools/1904
http://www.net-security.org/article_out.php?id=86
* Platforms Affected:
mod_auth_any Any version |
| Recommendation |
For Red Hat Linux:
Upgrade to the latest Samba package (mod_auth_any-1.2 or later), as listed below. Refer to Red Hat Security Advisory RHSA-2003:114-09 for more information, http://rhn.redhat.com/errata/RHSA-2003-114.html
For other distributions:
Contact your vendor for upgrade or patch information. |
| Related URL |
CVE-2003-0084 (CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
