Executive Summary
| Summary | |
|---|---|
| Title | New courier packages fix SQL injection |
| Informations | |||
|---|---|---|---|
| Name | DSA-247 | First vendor Publication | 2003-01-30 |
| Vendor | Debian | Last vendor Modification | 2003-01-30 |
| Severity (Vendor) | N/A | Revision | 1 |
Security-Database Scoring CVSS v3
| Cvss vector : N/A | |||
|---|---|---|---|
| Overall CVSS Score | NA | ||
| Base Score | NA | Environmental Score | NA |
| impact SubScore | NA | Temporal Score | NA |
| Exploitabality Sub Score | NA | ||
| Calculate full CVSS 3.0 Vectors scores | |||
Security-Database Scoring CVSS v2
| Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:P) | |||
|---|---|---|---|
| Cvss Base Score | 7.5 | Attack Range | Network |
| Cvss Impact Score | 6.4 | Attack Complexity | Low |
| Cvss Expoit Score | 10 | Authentication | None Required |
| Calculate full CVSS 2.0 Vectors scores | |||
Detail
| The developers of courier, an integrated user side mail server, discovered a problem in the PostgreSQL auth module. Not all potentially malicious characters were sanitized before the username was passed to the PostgreSQL engine. An attacker could inject arbitrary SQL commands and queries exploiting this vulnerability. The MySQL auth module is not affected. For the stable distribution (woody) this problem has been fixed in version 0.37.3-3.3. The old stable distribution (potato) does not contain courier packages. For the unstable distribution (sid) this problem has been fixed in version 0.40.2-3. We recommend that you upgrade your courier-authpostgresql package. |
Original Source
| Url : http://www.debian.org/security/2003/dsa-247 |
CPE : Common Platform Enumeration
| Type | Description | Count |
|---|---|---|
| Application | 1 | |
| Application | 1 |
OpenVAS Exploits
| Date | Description |
|---|---|
| 2008-01-17 | Name : Debian Security Advisory DSA 247-1 (courier) File : nvt/deb_247_1.nasl |
Open Source Vulnerability Database (OSVDB)
| Id | Description |
|---|---|
| 9506 | PostgreSQL Auth Module For Courier User Name Parameter SQL Injection |
Nessus® Vulnerability Scanner
| Date | Description |
|---|---|
| 2004-09-29 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-247.nasl - Type : ACT_GATHER_INFO |
Alert History
| Date | Informations |
|---|---|
| 2014-02-17 11:31:04 |
|
