You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@perl.apache.org by Geoffrey Young <ge...@modperlcookbook.org> on 2004/05/27 14:45:39 UTC
win32 and apr_password_validate
hi steve :)
if you have a moment, I was wondering if you could verify this scenario for me
http://marc.theaimsgroup.com/?l=apr-dev&m=108566146802317&w=2
here is a default unix htpasswd user/password (geoff/foo) pair
geoff:emzquyt3brYm2
it may not be a likely attack, since crypt does not generate a one-way hash,
but it would let a user through without a proper password (if I'm right)
which is probably bad (and a good reason for supporting crypt on win32 :)
--Geoff
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@perl.apache.org
For additional commands, e-mail: dev-help@perl.apache.org
Re: win32 and apr_password_validate
Posted by Geoffrey Young <ge...@modperlcookbook.org>.
> Oh. I was just about to reply to say yes it does let the user in with
> the hashed password presented as the password.
yeah.. the reason is apparently that win32 is documented to allow clear-text
passwords for authentication. this was news to me, but I'm new to win32
httpd land. so really what I thought was a bug is desirable. well, not
desirable really, but required for legacy reasons. and since there is no
real way to tell that crypt() generated text is crypt() generated, adding
fcrypt() to APR really doesn't solve the underlying problem - supporting
both on win32 would mean that two passwords would be valid for every one
entry in .htpasswd.
--Geoff
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@perl.apache.org
For additional commands, e-mail: dev-help@perl.apache.org
Re: win32 and apr_password_validate
Posted by Steve Hay <st...@uk.radan.com>.
Geoffrey Young wrote:
>Geoffrey Young wrote:
>
>
>>hi steve :)
>>
>>if you have a moment, I was wondering if you could verify this scenario for me
>>
>>
>
>ah, forget it. the thread has gone on over in apr-dev@ as well as on irc
>with ryan. there are other issues in play, apparently.
>
Oh. I was just about to reply to say yes it does let the user in with
the hashed password presented as the password.
- Steve
------------------------------------------------
Radan Computational Ltd.
The information contained in this message and any files transmitted with it are confidential and intended for the addressee(s) only. If you have received this message in error or there are any problems, please notify the sender immediately. The unauthorized use, disclosure, copying or alteration of this message is strictly forbidden. Note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of Radan Computational Ltd. The recipient(s) of this message should check it and any attached files for viruses: Radan Computational will accept no liability for any damage caused by any virus transmitted by this email.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@perl.apache.org
For additional commands, e-mail: dev-help@perl.apache.org
Re: win32 and apr_password_validate
Posted by Geoffrey Young <ge...@modperlcookbook.org>.
Geoffrey Young wrote:
> hi steve :)
>
> if you have a moment, I was wondering if you could verify this scenario for me
ah, forget it. the thread has gone on over in apr-dev@ as well as on irc
with ryan. there are other issues in play, apparently.
--Geoff
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@perl.apache.org
For additional commands, e-mail: dev-help@perl.apache.org