httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dirk.vanGulik" <Dirk.vanGu...@jrc.it>
Subject Re: apache-demo and mod_auth_msql.c
Date Mon, 17 Jun 1996 08:07:25 GMT

If you go looking for holes, I'd go for trying to have ' and /esh
in the username/password and try to make the username very long, say
16k chars. If there are holes I'd expect them to be between the 
boundary of msql and apache.

btw: the ' and / escaping was only added form 0.9 onwards in is
     missing in older versions (as well as in the vitek version
     distributed earlier).

Dw.


> I have been using the msql_auth module for a
> while and haven't met any problems.
> Testing so far hasn't found any security holes
> but I can take a look. I would like to see
> this stay as part of the distribution.
> 
> Bill Morris
> memetic Design
> BMorris@memetic.com
> 800-647-3597
> 
> > 
> > I'm also running msql-1.0.13.  Actually 60% of my web pages are using msql
> > and w3-msql, but not the module.  I'm trying to move everything over to 
> > php/fi but haven't had the time to do it yet... anyway, the final thing is
> > that I do use the program, but not the module.
> > 
> > <Aram>
> > 
> > > 
> > > I have a question for the group.  This module is mostly the work of Dirk,
> > > with comments from Vivek and of course input from the rest of us.  But to
> > > be honest, most of us do not have the capability to test this ourselves,
> > > since most of us don't have MSQL running ourselves.  I think I remember
> > > Randy and Chuck mentioning they were using this, but I could be wrong. 
> > > So, in that situation, where the usual 3 +1 votes are needed to commit
> > > large changes, and our usual policy of only putting stuff in the
> > > distribution which we are willing to risk CERT warnings over, are we
> > > comfortable with the situation of a module with one developer and a small
> > > userbase?  In this situation I am, based upon personal knowlege of Dirk
> > > and his technical capabilities, but for just to keep everyone on the same
> > > page I ask if this is an okay situation. 
> > > 
> > > 	Brian
> > > 
> > > 
> > > --=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--
> > > brian@organic.com  |  Visualize liking your job.  http://www.organic.com/JOBS
> > > 
> > 
> > - -- 
> >                                         | Aram Mirzadeh
> > I'm not under the alkafluence of inkahol| MIS Manager
> > that some thinkle peep I am.            | Qosina Corp.
> > It's just the drunker I sit here the    | http://www.qosina.com/~awm/
> > longer I get.                           | awm@qosina.com
> >                 			| Apache httpd - awm@hyperreal.com
> > 
> > 
> 


Mime
View raw message