httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Aram Mirzadeh <>
Subject mod_auth_dbm
Date Sun, 03 Mar 1996 03:07:12 GMT

I just found a very curious bug... 

Here is the situation... using dbmmanage I add a user:

# dbmmanage htpasswd add test testpw

now if you run a apache with/dbm support, the system read the htpasswd
file correctly, and returns an uncrypted password, and when it tries to
compare the passwords it uses the clean password typed in with a crypted
password read from the file using the password used as a salt?

line 171, of mod_auth_dbm.c:

if (strcmp(real_pw,(char *)crypt(sent_ps,real_pw))) { 

Now both real_pw, and sent_ps are clean unencrypted passwords... 

I just changed the above line to 

if ( strcmp( real_pw,sent_ps)) { 

I have no problem with authentication.  Is anyone else using dbm autentication?
I'm suprised this has been there for this long, and no one else has run into
it?!  So I thought I would let everyone else know before I sumbit the patch
to the tree. 


P.S. Here is the patch for ease:
RCS file: /usr/local/cvs/apache/src/mod_auth_dbm.c,v
retrieving revision
diff -r1.1.1.1 mod_auth_dbm.c
<     if(strcmp(real_pw,(char *)crypt(sent_pw,real_pw))) {
>     if(strcmp(real_pw,sent_pw)) {

Aram Mirzadeh
MIS Manager				      Apache httpd team member
Qosina Corporation

You're not drunk if you can lie on the floor without holding on.
                -- Dean Martin

View raw message