httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dean Gaudet <dgau...@arctic.org>
Subject mod_access/1324: encrypted passwords are not read correctly. (fwd)
Date Tue, 28 Oct 1997 03:16:58 GMT
Yet another person confused by the fact that our online docs document
version 1.3 and not our current released version.

IMNSHO we should have /docs-1.2 and /docs-1.3.  I would have done it, but
I didn't want to upset the balance in the table of the top page. 

Dean

---------- Forwarded message ----------
Date: 28 Oct 1997 02:46:36 -0000
From: Andrew Whyte <whytea@cq-pan.cqu.edu.au>
To: apbugs@hyperreal.org
Subject: mod_access/1324: encrypted passwords are not read correctly.


>Number:         1324
>Category:       mod_access
>Synopsis:       encrypted passwords are not read correctly.
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    apache
>State:          open
>Class:          sw-bug
>Submitter-Id:   apache
>Arrival-Date:   Mon Oct 27 18:50:00 PST 1997
>Last-Modified:
>Originator:     whytea@cq-pan.cqu.edu.au
>Organization:
apache
>Release:        1.2.4
>Environment:
HP-UX 10.20 and Linux on Intel and Alpha and Sparc platforms
>Description:
In the documentation you point out that the passwd file for the
AuthUserFile directive can have the following structure:

username:passwd[: ignored]

However if the : or anything follows on the line, the password is returned
invalid when you try and login to a secured area via the web.

For example if the file had:

andrew:xzzxczcc:Andrew Whyte
test:v,mn324234

Then the top line would not work, but the bottom line will work perfectly.
I have noticed this bug in every version of Apache, and on every platform
I have tested which include:

Linux (1.0.x - 2.1.x) - Intel (RedHAt, Slackware, Debian)
Linux 1.2.30 - Alpha (RedHAt)
Linux 1.2.30 - Sparc (RedHat)
Digital Unix ver 4.0[a,b,c] - Alpha
Dec Ultrix - DECStation 3000 & 5000 's
HP-UX B.10.20 ( HP 9000-D230 )

It is really a cosmetic bug, but the simple point is, I would like to be able to
store extra info in the file for other tasks and this makes it impossible.

Also, it makes using the Unix system passwd file impossible, not that anyone
should be using it, but thats not the point.

Would really like to see such a small problem fixed somewhere in the future..

Cheers, Andrew
>How-To-Repeat:

>Fix:
I don't know enough C/C++ programming or I could do it myself, but all that
needs to happen is instead of reading the encrypted passwd from the begining of
the second field in the file to the end of the line, you read it up until you
hit another colon.

I can follow the code you use to read in the encrypted password and this is
exactly what it does, it reads the entire line, so it treats the excess data as
part of the passwd string.
%0
>Audit-Trail:
>Unformatted:



Mime
View raw message