>Number: 1335 >Category: mod_auth-any >Synopsis: mod_auth (Basic Authentication) cannot handle fields in passwd >beyond the password itself. >Confidential: no >Severity: non-critical >Priority: medium >Responsible: apache >State: open >Class: sw-bug >Submitter-Id: apache >Arrival-Date: Wed Oct 29 15:50:01 PST 1997 >Last-Modified: >Originator: [EMAIL PROTECTED] >Organization: apache >Release: 1.2.4 >Environment: HPUX 9.04: HP-UX voodoo A.09.04 E 9000/887 427376281 8-user license >Description: Switching to Apache from CERN, I noticed that my password files for Basic authentication (I have several different groups of users from different parts of the company) no longer worked. The problem was that I used a 3-field password file, where the third field was the user's name. CERN simply ignored any extra fields after the password, but mod_auth.c reads up to the first ":" to test username, then returns the entire remaining record as the encrypted password. The attached patch causes the loop in get_pw() to extract the next colon-delimited field and return that, instead. The way getword() works, if you only have the two fields you still get what you expect. This may not be a bug to you folks, but since some of these files list users outside my NIS maps, I like having the names close-by so I can look up the phone numbers if problems come up. >How-To-Repeat: Take any password file you have for Basic authentication and add a third colon-delimited field to it, then try to authenticate with a valid password. I don't use DBM-based auth or BerkeleyDB auth, so I cannot comment on whether those have the same behavior. >Fix: I have a patch to mod_auth.c that will fix it. Rather than attach it here, I will be glad to e-mail it to a specific address >Audit-Trail: >Unformatted:
