Martin Joey Schulze discovered a flaw in the way mod_auth_mysql handles certain multibyte character encodings. If mod_auth_mysql is configured to use use a multibyte character set that allows the backslash '\' character as part of the character encodings, it is possible to inject arbitrary SQL commands to the MySQL database server.
Public now via: http://www.openwall.com/lists/oss-security/2009/01/21/10 Debian patch: http://klecker.debian.org/~white/mod-auth-mysql/CVE-2008-2384_mod-auth-mysql.patch
Created mod_auth_mysql tracking bugs for this issue Affects: fedora-all [bug 663414]
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2010:1002 https://rhn.redhat.com/errata/RHSA-2010-1002.html