Title: Cyrus SASL LDAP+MySQL Authentication Patch SQL Command Execution Vulnerability
Severity: HIGH
Description:
The Cyrus SASL LDAP+MySQL patch is a freely available, open source enhancement patch. It is designed for use on the Unix and Linux operating systems.
A problem with the patch could make it possible for remote users to gain access to the mail account of any user. The problem is in the handling of user input.
The Cyrus SASL LDAP+MySQL patch is designed to integrate LDAP and MySQL authentication with Cyrus SASL. This makes it possible to centralize authentication data.
Due to a design problem in the patch, users may gain access to the mail accounts of others. By passing a specially crafted SQL command to the password challenge, it is possible to provoke a successful authentication response from the MySQL server. This would give access to the mail of the user specified in the login challenge.
Exploitation of this vulnerability may offer intermitted success through the use of a string such as ') OR 1=1 HAVING FLOOR(RAND()*100)=1 AND ('1'='1. If the attacker has knowledge of database layout via another vulnerability that allows SQL command stuffing, the probability of exploitation increases significantly.
This problem may allow a remote user to gain access to the mail spool of the desired user.
Affected Products:
- Cyrus-Utils SASL LDAP+MYSQL Auth Patch 1.5.24
- Cyrus-Utils SASL LDAP+MYSQL Auth Patch 1.5.27
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
