Re: Apache ap_getpass vulnerability

[Simon Tamás <simont () westel900 hu>]

Peter Pentchev wrote:
> In all probability, someone will have beat me to this answer, but oh well.
>
> No, Apache (the webserver) can NOT call ap_getpass().  ap_getpass()
> (and the underlying getpass()) is called for applications running
> *on a terminal*, to read user's passwords *interactively*.  The webserver
> reads all 'user input' (the HTTP query, its header, arguments, body)
> from the network; there is no way the webserver shall wait for keyboard
> input on the socket.  This is the browser's - client's - job.
>
> To repeat Jon Poll's statement, the only place where ap_getpass() is called
> is in htpasswd and htdigest, which just happen to be the only binaries
> in the Apache distribution that should ever require interactive user input.
> The SSL modules would have to find another way to validate keys having
> at their disposal only the client's query and TCP connection credentials
> (not that there are too many of those..)
>
> G'luck,
> Peter
>
> --
> This sentence contradicts itself - or rather - well, no, actually it doesn't!

If you have an Apache module and your module uses configuration
directives then configuration
records are set up at your modules start up. At this point I thought it
was possible to call
ap_getpass() to fill a value in the configuration record (value of
passphrase acoompanying
the privatekey -- which is filled with ap_set_file_slot())
However I also found difficulties getting user input at module start-up.
Looks like my hook function is called twice, and at the second time
there is no tty
Any help on this would be appreciated.

S.T.

Attachment: simont.vcf
Description: Card for Simon Tamás