www-apache-bugdb mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kenny Gardner <Ke...@gapdev.com>
Subject mod_auth-any/3362: Password File is not parsed correctly
Date Sun, 08 Nov 1998 01:07:38 GMT

>Number:         3362
>Category:       mod_auth-any
>Synopsis:       Password File is not parsed correctly
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    apache
>State:          open
>Class:          sw-bug
>Submitter-Id:   apache
>Arrival-Date:   Sat Nov  7 17:10:00 PST 1998
>Originator:     Kenny@gapdev.com
>Release:        1.2.6 and prior (and above?)
BSD/OS gapdev.com 3.1 BSDI BSD/OS 3.1 Virtual Kernel #12: Fri Jun 19 14:32:14 MDT 1998

gcc version

Password Files that are not in the format of:


are not parsed correctly.


  userid:password:7100:100:Staranet Admin:/:ftp;mail

returns a password of:

  password:7100:100:Staranet Admin:/:ftp;mail

Anything after the first ":" is considered to be the Password.
Use your /etc/passwd file for authentication or any password file that contains extra information
after the password field.

authenticate_basic_user() function in mod_auth.c:

   Just before:

   /* anyone know where the prototype for crypt is? */

   if (strcmp(real_pw,(char *)crypt(sent_pw,real_pw)))


   char *real_pwptr = real_pw;

   while (*real_pwptr)
      if (*real_pwptr == ':')
         *real_pwptr = 0;

[In order for any reply to be added to the PR database, ]
[you need to include <apbugs@Apache.Org> in the Cc line ]
[and leave the subject line UNCHANGED.  This is not done]
[automatically because of the potential for mail loops. ]
[If you do not include this Cc, your reply may be ig-   ]
[nored unless you are responding to an explicit request ]
[from a developer.                                      ]
[Reply only with text; DO NOT SEND ATTACHMENTS!         ]

View raw message