On Tue, 31 Jan 2012 11:27:32 +0000 "Rai, Pravesh R (STSD)" <[email protected]> wrote:
> Hi, > > We are using Apache 2.2.21 with our product in HP. As we all know that during > some failure operations, Windows OS stores the memory dump as .mdmp & .hdmp > files. In our case we have observed credentials (in plain text) in those dump > files, which is a security concern for us. Thanks for pointing this out. What credentials specifically? If that's HTTP Basic Auth (or equivalent level of non-encryption) the strings from the HTTP Request headers will exist in memory with the potential to appear in a dump! > Have tried to modify few Apache source files, like: > > httpd\srclib\apr-util\buckets\apr_brigade.c (diff file w.r.t. to Apache > 2.2.21: diff_apr_brigade.c.txt) Your diff looks fine, but note that anything under apr or apr-util belongs to the APR project, not to httpd. > httpd\modules\ssl\ssl_engine_io.c (diff file w.r.t. to Apache 2.2.21: > diff_ssl_engine_io.c.txt) That one sets to NULL after a memmove. Since memmove supports overlapping source and destination buffers, you could be introducing complex edge-case side-effects. Have you checked? > Though the changes are minor & mainly intended to clean the buffer, but so > far our Security testing team has not found any plain text credentials in any > of our application dump files. Please go through these changes & let us know > your views. I can imagine there might be other such instances in the code. -- Nick Kew
