httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nick Kew <n...@webthing.com>
Subject Re: Need feedback for proposed changes in Apache source
Date Tue, 31 Jan 2012 12:35:06 GMT
On Tue, 31 Jan 2012 11:27:32 +0000
"Rai, Pravesh R (STSD)" <pravesh.rai@hp.com> wrote:

> Hi,
> 
> We are using Apache 2.2.21 with our product in HP. As we all know that during some failure
operations, Windows OS stores the memory dump as .mdmp & .hdmp files. In our case we have
observed credentials (in plain text) in those dump files, which is a security concern for
us.

Thanks for pointing this out.

What credentials specifically?  If that's HTTP Basic Auth
(or equivalent level of non-encryption) the strings from the
HTTP Request headers will exist in memory with the potential
to appear in a dump!

> Have tried to modify few Apache source files, like:
> 
> httpd\srclib\apr-util\buckets\apr_brigade.c (diff file w.r.t. to Apache 2.2.21: diff_apr_brigade.c.txt)

Your diff looks fine, but note that anything under apr or apr-util
belongs to the APR project, not to httpd.

> httpd\modules\ssl\ssl_engine_io.c (diff file w.r.t. to Apache 2.2.21: diff_ssl_engine_io.c.txt)

That one sets to NULL after a memmove.  Since memmove supports overlapping
source and destination buffers, you could be introducing complex edge-case
side-effects.  Have you checked?

> Though the changes are minor & mainly intended to clean the buffer, but so far our
Security testing team has not found any plain text credentials in any of our application dump
files. Please go through these changes & let us know your views.

I can imagine there might be other such instances in the code.

-- 
Nick Kew

Mime
View raw message