Bug 77414 - CAN-2003-0084 mod_auth_any popen without checking for ; or " in input
Summary: CAN-2003-0084 mod_auth_any popen without checking for ; or " in input
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: mod_auth_any
Version: 7.2
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nalin Dahyabhai
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2002-11-06 18:46 UTC by Daniel Jarboe
Modified: 2007-04-18 16:48 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2003-05-02 11:56:11 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2003:113 0 normal SHIPPED_LIVE : Updated mod_auth_any packages available 2003-05-02 04:00:00 UTC

Description Daniel Jarboe 2002-11-06 18:46:34 UTC
Description of problem:
User Name and Password are not checked before passing them to a popen call.  A 
user name of ;touch /tmp/mod_auth_any shows that sh commands are run with 
priveledges of webserver.  Also, a " will bypass calling the AuthAnyUserProg 
program altogether, with the following entries in apache's error log:
sh: -c: line 1: unexpected EOF while looking for matching `"'
sh: -c: line 2: syntax error: unexpected end of file

By entering a desired user name and a " in the password (to bypass the 
authentication script), REMOTE_USER is still set in the environment for 
whatever resources the client accesses.

Version-Release number of selected component (if applicable):
1.0.2-1

How reproducible:
Always

Steps to Reproduce:
1. Setup AuthType basic using AuthAnyUserProg in apache
2. Use a web-browsing client to access the restricted directory
3. Submit username or password with a " to bypass the auth program, or put in 
a ; before shell commands.
	

Actual Results:  The auth program was bypassed and resources accessed without 
proper authentication, and/or shell commands run with webserver priveledges.

Expected Results:  The authorization program should have been called to 
authenticate the user without user-supplied sh commands being run.

Additional info:

Looks like the most recent version of mod_auth_any.c (1.2) is still vulnerable.

Comment 1 Nalin Dahyabhai 2003-03-24 21:54:31 UTC
Unfortunately we can't change the module to pass sensitive information in via
stdio, but the quoting can at least be fixed.

Comment 2 Mark J. Cox 2003-05-02 11:56:11 UTC
An errata has been issued which should help the problem described in this bug report. 
This report is therefore being closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files, please follow the link below. You may reopen 
this bug report if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2003-113.html



Note You need to log in before you can comment on or make changes to this bug.