httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Aram Mirzadeh <...@qosina.com>
Subject mod_auth_dbm
Date Sun, 03 Mar 1996 03:07:12 GMT

I just found a very curious bug... 

Here is the situation... using dbmmanage I add a user:

# dbmmanage htpasswd add test testpw

now if you run a apache with/dbm support, the system read the htpasswd
file correctly, and returns an uncrypted password, and when it tries to
compare the passwords it uses the clean password typed in with a crypted
password read from the file using the password used as a salt?

line 171, of mod_auth_dbm.c:

if (strcmp(real_pw,(char *)crypt(sent_ps,real_pw))) { 

Now both real_pw, and sent_ps are clean unencrypted passwords... 

I just changed the above line to 

if ( strcmp( real_pw,sent_ps)) { 

I have no problem with authentication.  Is anyone else using dbm autentication?
I'm suprised this has been there for this long, and no one else has run into
it?!  So I thought I would let everyone else know before I sumbit the patch
to the tree. 

<Aram>

P.S. Here is the patch for ease:
===================================================================
RCS file: /usr/local/cvs/apache/src/mod_auth_dbm.c,v
retrieving revision 1.1.1.1
diff -r1.1.1.1 mod_auth_dbm.c
170c170
<     if(strcmp(real_pw,(char *)crypt(sent_pw,real_pw))) {
---
>     if(strcmp(real_pw,sent_pw)) {


-- 
Aram Mirzadeh						awm@qosina.com
MIS Manager				      Apache httpd team member
Qosina Corporation				    aram@hyperreal.com
http://www.qosina.com/			    http://www.qosina.com/~awm

You're not drunk if you can lie on the floor without holding on.
                -- Dean Martin


Mime
View raw message