httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Rai, Pravesh R (STSD)" <pravesh....@hp.com>
Subject Need feedback for proposed changes in Apache source
Date Tue, 31 Jan 2012 11:27:32 GMT
Hi,

We are using Apache 2.2.21 with our product in HP. As we all know that during some failure
operations, Windows OS stores the memory dump as .mdmp & .hdmp files. In our case we have
observed credentials (in plain text) in those dump files, which is a security concern for
us.

During our investigation, we found that Apache source uses memcpy() at many places, which
always leave behind the source string (in this case, credentials in plain text) in the memory.
Also observed that the destination buffer, if bigger than the source buffer, always have remnants
of its original content after copy/move operations. Such memory locations hold the data for
unknown longer duration & any exception during the course exposes all these data in the
dump file.

Have tried to modify few Apache source files, like:

httpd\srclib\apr-util\buckets\apr_brigade.c (diff file w.r.t. to Apache 2.2.21: diff_apr_brigade.c.txt)
httpd\modules\ssl\ssl_engine_io.c (diff file w.r.t. to Apache 2.2.21: diff_ssl_engine_io.c.txt)

Though the changes are minor & mainly intended to clean the buffer, but so far our Security
testing team has not found any plain text credentials in any of our application dump files.
Please go through these changes & let us know your views.

Thanks & Regards,
Pravesh

Mime
View raw message