[Secure-testing-team] Bug#539246: apache2: Incorrect password check with CRYPT

Alexander Over info at quadrat4.de
Thu Jul 30 06:27:59 UTC 2009 

Package: apache2.2-common
Version: 2.2.9-10+lenny4
Severity: grave
Tags: security
Justification: user security hole


If you create a User/Password combination with htpasswd using the default
CRYPT encryption and a password with more than 8 chars, the Website still
gets you access by typing in the first 8 chars or the complete password.

e.g. if you provide test42test as password, you can type in just test42te
to get access.

This bug affects x86 systems too.

-- Package-specific info:
List of enabled modules from 'apache2 -M':
  alias auth_basic authn_file authnz_ldap authz_default
  authz_groupfile authz_host authz_user autoindex cgi deflate dir env
  ldap mime negotiation perl php5 python radius_auth rewrite setenvif
  ssl status userdir

-- System Information:
Debian Release: 5.0.2
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.29-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages apache2 depends on:
ii  apache2-mpm-prefork      2.2.9-10+lenny4 Apache HTTP Server - traditional n

apache2 recommends no packages.

apache2 suggests no packages.

Versions of packages apache2.2-common depends on:
ii  apache2-utils       2.2.9-10+lenny4      utility programs for webservers
ii  libapr1             1.2.12-5             The Apache Portable Runtime Librar
ii  libaprutil1         1.2.12+dfsg-8+lenny3 The Apache Portable Runtime Utilit
ii  libc6               2.7-18               GNU C Library: Shared libraries
ii  libmagic1           4.26-1               File type determination library us
ii  libssl0.9.8         0.9.8g-15+lenny1     SSL shared libraries
ii  lsb-base            3.2-20               Linux Standard Base 3.2 init scrip
ii  mime-support        3.44-1               MIME files 'mime.types' & 'mailcap
ii  net-tools           1.60-22              The NET-3 networking toolkit
ii  perl                5.10.0-19            Larry Wall's Practical Extraction 
ii  procps              1:3.2.7-11           /proc file system utilities
ii  zlib1g              1:1.2.3.3.dfsg-12    compression library - runtime

-- no debconf information

More information about the Secure-testing-team mailing list