You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Rob Hartill <ro...@imdb.com> on 1997/01/07 00:13:38 UTC
1.2B4: Stop password field of AuthUserFile at next colon (fwd)
I remember Dirk was playing with ":"s recently.
Where do we stand on people shooting themselves in the foot with /etc/passwd ?
.. and do we stand on their foot before or after they shoot it ? :-)
---------- Forwarded message ----------
Date: Mon, 6 Jan 1997 16:50:19 -0500 (EST)
From: Gregory Neil Shapiro <gs...@wpi.edu>
To: apache-bugs@apache.org
Cc: aej@wpi.edu
Subject: 1.2B4: Stop password field of AuthUserFile at next colon
Currently, auth_mod.c separates the username and password by the first colon.
However, it sends the rest of the string (after the colon) to crypt for
password comparison. I believe it should use the same code which
auth_mod_dbm.c uses and stop at the next colon. That would allow sites to use
/etc/passwd for the AuthUserFile for system wide functions. Here is a patch
to accomplish this (you'll notice the code is stolen from mod_auth_dbm.c):
*** src/mod_auth.c~ Tue Dec 24 14:10:29 1996
--- src/mod_auth.c Mon Jan 6 16:42:09 1997
***************
*** 122,131 ****
return NULL;
}
while(!(cfg_getline(l,MAX_STRING_LEN,f))) {
if((l[0] == '#') || (!l[0])) continue;
rpw = l;
w = getword(r->pool, &rpw, ':');
!
if(!strcmp(user,w)) {
pfclose(r->pool, f);
return pstrdup (r->pool, rpw);
--- 122,134 ----
return NULL;
}
while(!(cfg_getline(l,MAX_STRING_LEN,f))) {
+ char *colon_pw;
if((l[0] == '#') || (!l[0])) continue;
rpw = l;
w = getword(r->pool, &rpw, ':');
! /* Password is up to first : if exists */
! colon_pw = strchr(rpw,':');
! if (colon_pw) *colon_pw='\0';
if(!strcmp(user,w)) {
pfclose(r->pool, f);
return pstrdup (r->pool, rpw);
Re: 1.2B4: Stop password field of AuthUserFile at next colon (fwd)
Posted by Di...@jrc.it.
On Mon, 6 Jan 1997, Rob Hartill wrote:
> I remember Dirk was playing with ":"s recently.
I think I send in a patch olong those lines; the one
below should give a warning with the const * char, but
that is a side issue. I'll check.
> Where do we stand on people shooting themselves in the foot with /etc/passwd ?
Well with the patch I put in a <h2>warning</h2> onto the documentation of
auth, with a very clear message. That should do it I suppose ?
> .. and do we stand on their foot before or after they shoot it ? :-)
Jump!
Actually; I still get email once in a while about mod_auth_nis.c and nis+
which people seem to use; I am not sure wether that was a good idea; but
there is demand for it; and I can see quite a few good arguments on
why to add/have it; and still be perfectly safe.
:-)
> ---------- Forwarded message ----------
> Date: Mon, 6 Jan 1997 16:50:19 -0500 (EST)
> From: Gregory Neil Shapiro <gs...@wpi.edu>
> To: apache-bugs@apache.org
> Cc: aej@wpi.edu
> Subject: 1.2B4: Stop password field of AuthUserFile at next colon
>
> Currently, auth_mod.c separates the username and password by the first colon.
> However, it sends the rest of the string (after the colon) to crypt for
> password comparison. I believe it should use the same code which
> auth_mod_dbm.c uses and stop at the next colon. That would allow sites to use
> /etc/passwd for the AuthUserFile for system wide functions. Here is a patch
> to accomplish this (you'll notice the code is stolen from mod_auth_dbm.c):
>
> *** src/mod_auth.c~ Tue Dec 24 14:10:29 1996
> --- src/mod_auth.c Mon Jan 6 16:42:09 1997
> ***************
> *** 122,131 ****
> return NULL;
> }
> while(!(cfg_getline(l,MAX_STRING_LEN,f))) {
> if((l[0] == '#') || (!l[0])) continue;
> rpw = l;
> w = getword(r->pool, &rpw, ':');
> !
> if(!strcmp(user,w)) {
> pfclose(r->pool, f);
> return pstrdup (r->pool, rpw);
> --- 122,134 ----
> return NULL;
> }
> while(!(cfg_getline(l,MAX_STRING_LEN,f))) {
> + char *colon_pw;
> if((l[0] == '#') || (!l[0])) continue;
> rpw = l;
> w = getword(r->pool, &rpw, ':');
> ! /* Password is up to first : if exists */
> ! colon_pw = strchr(rpw,':');
> ! if (colon_pw) *colon_pw='\0';
> if(!strcmp(user,w)) {
> pfclose(r->pool, f);
> return pstrdup (r->pool, rpw);
>
>
Re: 1.2B4: Stop password field of AuthUserFile at next colon (fwd)
Posted by Rob Hartill <ro...@imdb.com>.
On Mon, 6 Jan 1997, Marc Slemko wrote:
> > Where do we stand on people shooting themselves in the foot with /etc/passwd ?
>
> I don't see why not. If /etc/passwd will do anything (ie. isn't
> shadowed), they had better be sure users' passwords can't be cracked by a
> dictionary based attack so I don't see that using /etc/password will hurt
> that much.
>
> What possible problems are there? I can think of:
> - bugs in the webserver that let people get the encrypted
> passwords; sure, but there are a heck of a lot of easier
> ways on most systems.
> - passwords passed plaintext across the network; nothing new,
> on 99% of systems they are anyway.
only that the passwords tend to be passed once (as lethal as that is).
The request can also travel through insecure proxy servers.
> - passwords cached in unsafe browsers; possibly a bit of a
> problem, but if someone has access to the PC they can sniff
> them pretty easily.
I think there's a hole with nph-scripts. They can fake all sorts of
stuff in order to lure the browser into sending the username and password
to it.
I think it was Rob Thau who first (that I noticed) mentioned how dangerous
nph- can be w.r.t to keepalives.
you could write a mini server out of a nph script, and if you can take
Apache out of the loop for a followup request then kaboom, you can write
a password grabber.
Of course that's a problem for all basic auth stuff, but grabbing user
passwords make it worse.
Maybe we need a way to disable nph and get the buffering stuff sorted out.
Ahhh 2.0. One day.
rob
Re: 1.2B4: Stop password field of AuthUserFile at next colon (fwd)
Posted by Marc Slemko <ma...@znep.com>.
On Mon, 6 Jan 1997, Rob Hartill wrote:
>
> I remember Dirk was playing with ":"s recently.
>
> Where do we stand on people shooting themselves in the foot with /etc/passwd ?
I don't see why not. If /etc/passwd will do anything (ie. isn't
shadowed), they had better be sure users' passwords can't be cracked by a
dictionary based attack so I don't see that using /etc/password will hurt
that much.
What possible problems are there? I can think of:
- bugs in the webserver that let people get the encrypted
passwords; sure, but there are a heck of a lot of easier
ways on most systems.
- passwords passed plaintext across the network; nothing new,
on 99% of systems they are anyway.
- passwords cached in unsafe browsers; possibly a bit of a
problem, but if someone has access to the PC they can sniff
them pretty easily.
>
> .. and do we stand on their foot before or after they shoot it ? :-)
>
> ---------- Forwarded message ----------
> Date: Mon, 6 Jan 1997 16:50:19 -0500 (EST)
> From: Gregory Neil Shapiro <gs...@wpi.edu>
> To: apache-bugs@apache.org
> Cc: aej@wpi.edu
> Subject: 1.2B4: Stop password field of AuthUserFile at next colon
>
> Currently, auth_mod.c separates the username and password by the first colon.
> However, it sends the rest of the string (after the colon) to crypt for
> password comparison. I believe it should use the same code which
> auth_mod_dbm.c uses and stop at the next colon. That would allow sites to use
> /etc/passwd for the AuthUserFile for system wide functions. Here is a patch
> to accomplish this (you'll notice the code is stolen from mod_auth_dbm.c):
>
> *** src/mod_auth.c~ Tue Dec 24 14:10:29 1996
> --- src/mod_auth.c Mon Jan 6 16:42:09 1997
> ***************
> *** 122,131 ****
> return NULL;
> }
> while(!(cfg_getline(l,MAX_STRING_LEN,f))) {
> if((l[0] == '#') || (!l[0])) continue;
> rpw = l;
> w = getword(r->pool, &rpw, ':');
> !
> if(!strcmp(user,w)) {
> pfclose(r->pool, f);
> return pstrdup (r->pool, rpw);
> --- 122,134 ----
> return NULL;
> }
> while(!(cfg_getline(l,MAX_STRING_LEN,f))) {
> + char *colon_pw;
> if((l[0] == '#') || (!l[0])) continue;
> rpw = l;
> w = getword(r->pool, &rpw, ':');
> ! /* Password is up to first : if exists */
> ! colon_pw = strchr(rpw,':');
> ! if (colon_pw) *colon_pw='\0';
> if(!strcmp(user,w)) {
> pfclose(r->pool, f);
> return pstrdup (r->pool, rpw);
>