Description of problem:
User Name and Password are not checked before passing them to a popen call. A
user name of ;touch /tmp/mod_auth_any shows that sh commands are run with
priveledges of webserver. Also, a " will bypass calling the AuthAnyUserProg
program altogether, with the following entries in apache's error log:
sh: -c: line 1: unexpected EOF while looking for matching `"'
sh: -c: line 2: syntax error: unexpected end of file
By entering a desired user name and a " in the password (to bypass the
authentication script), REMOTE_USER is still set in the environment for
whatever resources the client accesses.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Setup AuthType basic using AuthAnyUserProg in apache
2. Use a web-browsing client to access the restricted directory
3. Submit username or password with a " to bypass the auth program, or put in
a ; before shell commands.
Actual Results: The auth program was bypassed and resources accessed without
proper authentication, and/or shell commands run with webserver priveledges.
Expected Results: The authorization program should have been called to
authenticate the user without user-supplied sh commands being run.
Looks like the most recent version of mod_auth_any.c (1.2) is still vulnerable.
Unfortunately we can't change the module to pass sensitive information in via
stdio, but the quoting can at least be fixed.
An errata has been issued which should help the problem described in this bug report.
This report is therefore being closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files, please follow the link below. You may reopen
this bug report if the solution does not work for you.