httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marc Slemko <ma...@worldgate.com>
Subject Re: mod_access/1324: encrypted passwords are not read correctly. (fwd)
Date Tue, 28 Oct 1997 03:21:14 GMT
On Mon, 27 Oct 1997, Dean Gaudet wrote:

> Yet another person confused by the fact that our online docs document
> version 1.3 and not our current released version.
> 
> IMNSHO we should have /docs-1.2 and /docs-1.3.  I would have done it, but
> I didn't want to upset the balance in the table of the top page. 

The problem is that there are docs improvements that are applicable to
botyh trees but will not be made in the 1.2 tree because it is too much
effort.  I really don't see a huge number of people with problems other
than those that can't read; ie. it says "1.3" right in front of their nose
and they are too blind to see it.  If they don't see that, they will
probably pick the wrong docs anyway half the time.

About this specific issue, I have no idea since I don't know where the
docs they are referring to are... the CHANGES file lists it for 1.3.

> 
> Dean
> 
> ---------- Forwarded message ----------
> Date: 28 Oct 1997 02:46:36 -0000
> From: Andrew Whyte <whytea@cq-pan.cqu.edu.au>
> To: apbugs@hyperreal.org
> Subject: mod_access/1324: encrypted passwords are not read correctly.
> 
> 
> >Number:         1324
> >Category:       mod_access
> >Synopsis:       encrypted passwords are not read correctly.
> >Confidential:   no
> >Severity:       non-critical
> >Priority:       medium
> >Responsible:    apache
> >State:          open
> >Class:          sw-bug
> >Submitter-Id:   apache
> >Arrival-Date:   Mon Oct 27 18:50:00 PST 1997
> >Last-Modified:
> >Originator:     whytea@cq-pan.cqu.edu.au
> >Organization:
> apache
> >Release:        1.2.4
> >Environment:
> HP-UX 10.20 and Linux on Intel and Alpha and Sparc platforms
> >Description:
> In the documentation you point out that the passwd file for the
> AuthUserFile directive can have the following structure:
> 
> username:passwd[: ignored]
> 
> However if the : or anything follows on the line, the password is returned
> invalid when you try and login to a secured area via the web.
> 
> For example if the file had:
> 
> andrew:xzzxczcc:Andrew Whyte
> test:v,mn324234
> 
> Then the top line would not work, but the bottom line will work perfectly.
> I have noticed this bug in every version of Apache, and on every platform
> I have tested which include:
> 
> Linux (1.0.x - 2.1.x) - Intel (RedHAt, Slackware, Debian)
> Linux 1.2.30 - Alpha (RedHAt)
> Linux 1.2.30 - Sparc (RedHat)
> Digital Unix ver 4.0[a,b,c] - Alpha
> Dec Ultrix - DECStation 3000 & 5000 's
> HP-UX B.10.20 ( HP 9000-D230 )
> 
> It is really a cosmetic bug, but the simple point is, I would like to be able to
> store extra info in the file for other tasks and this makes it impossible.
> 
> Also, it makes using the Unix system passwd file impossible, not that anyone
> should be using it, but thats not the point.
> 
> Would really like to see such a small problem fixed somewhere in the future..
> 
> Cheers, Andrew
> >How-To-Repeat:
> 
> >Fix:
> I don't know enough C/C++ programming or I could do it myself, but all that
> needs to happen is instead of reading the encrypted passwd from the begining of
> the second field in the file to the end of the line, you read it up until you
> hit another colon.
> 
> I can follow the code you use to read in the encrypted password and this is
> exactly what it does, it reads the entire line, so it treats the excess data as
> part of the passwd string.
> %0
> >Audit-Trail:
> >Unformatted:
> 
> 


Mime
View raw message