CVE-2011-0432

Name of the Vulnerable Software and Affected Versions PyWebDAV versions prior to 0.9.4.1

Description The issue allows remote attackers to execute arbitrary SQL commands via the (1) user or (2) pw argument in the get userinfo method in the MySQLAuthHandler class in DAVServer/mysqlauth.py.

Recommendations For versions prior to 0.9.4.1, update to version 0.9.4.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the get userinfo method in the MySQLAuthHandler class until a patch is applied. Avoid using the user and pw arguments in the affected method until the issue is resolved.