Re: Embedded SQL vulnerability

Glen Eustace <geustace@godzone.net.nz> writes:

> Has anyone added anything into the client library along the lines of the
> suggestion made in
>
> http://cert.uni-stuttgart.de/advisories/apache_auth.php
>
> I have just upgraded to 7.1.3 on RH7.1, I wasn't going to bother with the
> source.  But we do use our database for authentication and consequently are
> vulnerable.

A patch did go in just recently, but didn't make it into 7.1.3.

You can always do the escaping yourself--the patch just makes the
escape call available in the library; it doesn't automatically fix
your code.

-Doug
--
Free Dmitry Sklyarov!
http://www.freesklyarov.org/

We will return to our regularly scheduled signature shortly.