|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Apache ap_getpass vulnerability
From: Simon Tamás (simont
WESTEL900.HU)Date: Fri Dec 31 1999 - 22:24:04 CST
- Next message: Lincoln Yeoh: "Re: Squid doesn't quote urls in error messages."
- Previous message: Steve Mosher: "Re: non-scriptkiddie IRC Channel for Vuln-Dev"
- Next in thread: Jon Paul, Nollmann: "Re: Apache ap_getpass vulnerability"
- Reply: Jon Paul, Nollmann: "Re: Apache ap_getpass vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hi
I found this possible vulnerability in Apache 1.3.14 (latest version)
It effects apache modules that call the ap_getpass function on Unix
platforms.
It probably exists in earlier releases, though I haven't checked.
The Apache API ap_getpass function is a wrapper around the Os's
getpass()
function - in case it exists, or defines their own implementation of
getpass.
qutoe from getpass manual:
The getpass function leaves its result in an internal static object and
returns a pointer to that object. Subsequent calls to getpass will
modify the same object.
The calling process should zero the password as soon as possible to
avoid leaving the cleartext password visible in the process's address
space.
Apache doesn't do this "zeroing" so it's possile to get this value.
What do you think?
Regards
S.T.
- text/x-vcard attachment: Card for Simon Tam\s
- Next message: Lincoln Yeoh: "Re: Squid doesn't quote urls in error messages."
- Previous message: Steve Mosher: "Re: non-scriptkiddie IRC Channel for Vuln-Dev"
- Next in thread: Jon Paul, Nollmann: "Re: Apache ap_getpass vulnerability"
- Reply: Jon Paul, Nollmann: "Re: Apache ap_getpass vulnerability"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]