Re: mod_auth-any/3362: Password File is not parsed correctly

8 Nov 1998 11:00:03 -0000 

The following reply was made to PR mod_auth-any/3362; it has been noted by 
GNATS.

From: Dirk-Willem van Gulik <[EMAIL PROTECTED]>
To: Kenny Gardner <[EMAIL PROTECTED]>
Cc: [EMAIL PROTECTED]
Subject: Re: mod_auth-any/3362: Password File is not parsed correctly
Date: Sun, 8 Nov 1998 11:50:52 +0100 (MET)

 On 8 Nov 1998, Kenny Gardner wrote:
 
 > >Number:         3362
 > >Category:       mod_auth-any
 > >Synopsis:       Password File is not parsed correctly
 > >Confidential:   no
 > >Severity:       serious
 > >Priority:       medium
 > >Responsible:    apache
 > >State:          open
 > >Class:          sw-bug
 > >Submitter-Id:   apache
 > >Arrival-Date:   Sat Nov  7 17:10:00 PST 1998
 > >Last-Modified:
 > >Originator:     [EMAIL PROTECTED]
 > >Organization:
 > apache
 > >Release:        1.2.6 and prior (and above?)
 > >Environment:
 > BSD/OS gapdev.com 3.1 BSDI BSD/OS 3.1 Virtual Kernel #12: Fri Jun 19 
 > 14:32:14 MDT 1998
 > 
 > gcc version 2.7.2.1
 > 
 > >Description:
 > Password Files that are not in the format of:
 > 
 >   userid:password
 > 
 > are not parsed correctly.
 
 As you can see in the manual page; .../docs/mod/mod_auth.html password
 files for 1.2.6 are to be in the above format.
 
 Some later versions of apache accomodate the 'passwd(8)' format.
 
 Dw.
 
 > This:
 > 
 >   userid:password:7100:100:Staranet Admin:/:ftp;mail
 > 
 > returns a password of:
 > 
 >   password:7100:100:Staranet Admin:/:ftp;mail
 > 
 > Anything after the first ":" is considered to be the Password.
 > >How-To-Repeat:
 > Use your /etc/passwd file for authentication or any password file that 
 > contains extra information after the password field.
 > 
 > 
 > >Fix:
 > authenticate_basic_user() function in mod_auth.c:
 > 
 >    Just before:
 > 
 >    /* anyone know where the prototype for crypt is? */
 > 
 >    if (strcmp(real_pw,(char *)crypt(sent_pw,real_pw)))
 > 
 > 
 >    Add:
 > 
 >    {
 >    char *real_pwptr = real_pw;
 > 
 >    while (*real_pwptr)
 >       {
 >       if (*real_pwptr == ':')
 >          {
 >          *real_pwptr = 0;
 >          break;
 >          }
 > 
 >       ++real_pwptr;
 >       }
 >    } 
 > >Audit-Trail:
 > >Unformatted:
 > [In order for any reply to be added to the PR database, ]
 > [you need to include <[EMAIL PROTECTED]> in the Cc line ]
 > [and leave the subject line UNCHANGED.  This is not done]
 > [automatically because of the potential for mail loops. ]
 > [If you do not include this Cc, your reply may be ig-   ]
 > [nored unless you are responding to an explicit request ]
 > [from a developer.                                      ]
 > [Reply only with text; DO NOT SEND ATTACHMENTS!         ]
 > 
 > 
 > 
 >

Reply via email to