Courier Authentication Library: SQL injection vulnerability
Gentoo Linux Security Advisory
||GLSA 200809-05 / courier-authlib
||September 05, 2008
||September 05, 2008: 01
All supported architectures
An SQL injection vulnerability has been discovered in the Courier
The Courier Authentication Library is a generic authentication API that
encapsulates the process of validating account passwords.
It has been discovered that some input (e.g. the username) passed to
the library are not properly sanitised before being used in SQL
A remote attacker could provide specially crafted input to the library,
possibly resulting in the remote execution of arbitrary SQL commands.
NOTE: Exploitation of this vulnerability requires that a MySQL database
is used for authentication and that a Non-Latin character set is
There is no known workaround at this time.
All Courier Authentication Library users should upgrade to the latest
Code Listing 3.1: Resolution
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-libs/courier-authlib-0.60.6"