>Number: 4205
>Category: mod_auth-any
>Synopsis: password written by dbmmanage command with add operand is NOT
>encrypted
>Confidential: no
>Severity: critical
>Priority: medium
>Responsible: apache
>State: open
>Class: sw-bug
>Submitter-Id: apache
>Arrival-Date: Wed Apr 7 04:10:00 PDT 1999
>Last-Modified:
>Originator: [EMAIL PROTECTED]
>Organization:
apache
>Release: 1.3.3.1
>Environment:
AIX V4.2.1
IBM HTTP Server V 1.3.3.1
Perl V5.00404
>Description:
When I executed following dbmmanage command, password added in password file
was NOT encrypted.
./dbmmanage /user2 add kubota 1107
And when I tried to access protected document from client browser, I got an
error message saying "password mismatch".
UserID, Password
UserID kubota
Password 1107
httpd.conf definition
LoadModule dbm_auth_module /libexec/mod_auth_dbm.so
<Directory /usr/lpp/HTTPServer/share/htdocs/manual>
AuthType Basic
AuthName "Protected Material"
AuthDBMUserFile /user2
Require valid-user
</Directory>
>How-To-Repeat:
Recreation steps
1.Execute dbmmanage command
./dbmmanage /user2 add kubota 1107
2.Check the 'user2' file
Password was NOT encrypted
3.Access protected URL from browser
Couldn't retrieve document, and error message was written in
error log file as shown below
user kubota: password mismatch: /manual/index.html
>Fix:
none
>Audit-Trail:
>Unformatted:
[In order for any reply to be added to the PR database, ]
[you need to include <[EMAIL PROTECTED]> in the Cc line ]
[and leave the subject line UNCHANGED. This is not done]
[automatically because of the potential for mail loops. ]
[If you do not include this Cc, your reply may be ig- ]
[nored unless you are responding to an explicit request ]
[from a developer. ]
[Reply only with text; DO NOT SEND ATTACHMENTS! ]
