httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From William A Rowe Jr <wr...@rowe-clan.net>
Subject Re: CVE-2017-3167: ap_get_basic_auth_pw authentication bypass
Date Mon, 19 Jun 2017 22:35:04 GMT
Not to announce@httpd? users@ and dev@ aren't particularly
broadcast channels.

announce@a.o might be too wide an audience, but that's why
we document the CVE's with short notes in the foundation-wide
release announcement. At least, used to document them.


On Mon, Jun 19, 2017 at 5:08 PM, Jacob Champion <jchampion@apache.org> wrote:
> CVE-2017-3167: ap_get_basic_auth_pw authentication bypass
>
> Severity: Important
>
> Vendor: The Apache Software Foundation
>
> Versions Affected:
> httpd 2.2.0 to 2.2.32
> httpd 2.4.0 to 2.4.25
>
> Description:
> Use of the ap_get_basic_auth_pw() by third-party modules outside of the
> authentication phase may lead to authentication requirements being
> bypassed.
>
> Mitigation:
> 2.2.x users should either apply the patch available at
> https://www.apache.org/dist/httpd/patches/apply_to_2.2.32/CVE-2017-3167.patch
> or upgrade in the future to 2.2.33, which is currently unreleased.
>
> 2.4.x users should upgrade to 2.4.26.
>
> Third-party module writers SHOULD use ap_get_basic_auth_components(),
> available in 2.2.33 and 2.4.26, instead of ap_get_basic_auth_pw().
> Modules which call the legacy ap_get_basic_auth_pw() during the
> authentication phase MUST either immediately authenticate the user after
> the call, or else stop the request immediately with an error response,
> to avoid incorrectly authenticating the current request.
>
> Credit:
> The Apache HTTP Server security team would like to thank Emmanuel
> Dreyfus for reporting this issue.
>
> References:
> https://httpd.apache.org/security_report.html

Mime
View raw message