www-apache-bugdb mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Tatsuzo Kubota <E20...@jp.ibm.com>
Subject mod_auth-any/4205: password written by dbmmanage command with add operand is NOT encrypted
Date Wed, 07 Apr 1999 11:05:47 GMT

>Number:         4205
>Category:       mod_auth-any
>Synopsis:       password written by dbmmanage command with add operand is NOT encrypted
>Confidential:   no
>Severity:       critical
>Priority:       medium
>Responsible:    apache
>State:          open
>Class:          sw-bug
>Submitter-Id:   apache
>Arrival-Date:   Wed Apr  7 04:10:00 PDT 1999
>Last-Modified:
>Originator:     E20022@jp.ibm.com
>Organization:
apache
>Release:        1.3.3.1
>Environment:
AIX V4.2.1
IBM HTTP Server V 1.3.3.1
Perl V5.00404
>Description:
When I executed following dbmmanage command, password added in password file
was NOT encrypted.
    ./dbmmanage /user2 add kubota 1107
And when I tried to access protected document from client browser, I got an
error message saying "password mismatch".

UserID, Password
    UserID      kubota
    Password    1107

httpd.conf definition
    LoadModule dbm_auth_module /libexec/mod_auth_dbm.so

    <Directory /usr/lpp/HTTPServer/share/htdocs/manual>
        AuthType               Basic
        AuthName              "Protected Material"
        AuthDBMUserFile    /user2
        Require                  valid-user
    </Directory>
>How-To-Repeat:
Recreation steps
    1.Execute dbmmanage command
        ./dbmmanage /user2 add kubota 1107
    2.Check the 'user2' file
        Password was NOT encrypted
    3.Access protected URL from browser
        Couldn't retrieve document, and error message was written in
        error log file as shown below
            user kubota: password mismatch: /manual/index.html
>Fix:
none
>Audit-Trail:
>Unformatted:
[In order for any reply to be added to the PR database, ]
[you need to include <apbugs@Apache.Org> in the Cc line ]
[and leave the subject line UNCHANGED.  This is not done]
[automatically because of the potential for mail loops. ]
[If you do not include this Cc, your reply may be ig-   ]
[nored unless you are responding to an explicit request ]
[from a developer.                                      ]
[Reply only with text; DO NOT SEND ATTACHMENTS!         ]




Mime
View raw message