Return-Path: 
 <apache-bugdb-owner-apache-bugdb-archive=hyperreal.org@apache.org>
Delivered-To: apache-bugdb-archive@hyperreal.org
Received: (qmail 2292 invoked by uid 6000); 7 Apr 1999 11:10:09 -0000
Received: (qmail 1919 invoked by uid 2001); 7 Apr 1999 11:10:01 -0000
Received: (qmail 1541 invoked by uid 2012); 7 Apr 1999 11:05:47 -0000
Message-Id: <19990407110547.1540.qmail@hyperreal.org>
Date: 7 Apr 1999 11:05:47 -0000
From: Tatsuzo Kubota <E20022@jp.ibm.com>
Reply-To: E20022@jp.ibm.com
To: apbugs@hyperreal.org
X-Send-Pr-Version: 3.2
Subject: mod_auth-any/4205: password written by dbmmanage command with add
 operand is NOT encrypted
Sender: apache-bugdb-owner@apache.org
Precedence: bulk


>Number:         4205
>Category:       mod_auth-any
>Synopsis:       password written by dbmmanage command with add operand is NOT encrypted
>Confidential:   no
>Severity:       critical
>Priority:       medium
>Responsible:    apache
>State:          open
>Class:          sw-bug
>Submitter-Id:   apache
>Arrival-Date:   Wed Apr  7 04:10:00 PDT 1999
>Last-Modified:
>Originator:     E20022@jp.ibm.com
>Organization:
apache
>Release:        1.3.3.1
>Environment:
AIX V4.2.1
IBM HTTP Server V 1.3.3.1
Perl V5.00404
>Description:
When I executed following dbmmanage command, password added in password file
was NOT encrypted.
    ./dbmmanage /user2 add kubota 1107
And when I tried to access protected document from client browser, I got an
error message saying "password mismatch".

UserID, Password
    UserID      kubota
    Password    1107

httpd.conf definition
    LoadModule dbm_auth_module /libexec/mod_auth_dbm.so

    <Directory /usr/lpp/HTTPServer/share/htdocs/manual>
        AuthType               Basic
        AuthName              "Protected Material"
        AuthDBMUserFile    /user2
        Require                  valid-user
    </Directory>
>How-To-Repeat:
Recreation steps
    1.Execute dbmmanage command
        ./dbmmanage /user2 add kubota 1107
    2.Check the 'user2' file
        Password was NOT encrypted
    3.Access protected URL from browser
        Couldn't retrieve document, and error message was written in
        error log file as shown below
            user kubota: password mismatch: /manual/index.html
>Fix:
none
>Audit-Trail:
>Unformatted:
[In order for any reply to be added to the PR database, ]
[you need to include <apbugs@Apache.Org> in the Cc line ]
[and leave the subject line UNCHANGED.  This is not done]
[automatically because of the potential for mail loops. ]
[If you do not include this Cc, your reply may be ig-   ]
[nored unless you are responding to an explicit request ]
[from a developer.                                      ]
[Reply only with text; DO NOT SEND ATTACHMENTS!         ]