Vulnerability Development mailing list archives
Re: Apache ap_getpass vulnerability
From: Simon Tamás <simont () westel900 hu>
Date: Mon, 3 Jan 2000 21:50:57 +0100
Peter Pentchev wrote:
In all probability, someone will have beat me to this answer, but oh well. No, Apache (the webserver) can NOT call ap_getpass(). ap_getpass() (and the underlying getpass()) is called for applications running *on a terminal*, to read user's passwords *interactively*. The webserver reads all 'user input' (the HTTP query, its header, arguments, body) from the network; there is no way the webserver shall wait for keyboard input on the socket. This is the browser's - client's - job. To repeat Jon Poll's statement, the only place where ap_getpass() is called is in htpasswd and htdigest, which just happen to be the only binaries in the Apache distribution that should ever require interactive user input. The SSL modules would have to find another way to validate keys having at their disposal only the client's query and TCP connection credentials (not that there are too many of those..) G'luck, Peter -- This sentence contradicts itself - or rather - well, no, actually it doesn't!
If you have an Apache module and your module uses configuration directives then configuration records are set up at your modules start up. At this point I thought it was possible to call ap_getpass() to fill a value in the configuration record (value of passphrase acoompanying the privatekey -- which is filled with ap_set_file_slot()) However I also found difficulties getting user input at module start-up. Looks like my hook function is called twice, and at the second time there is no tty Any help on this would be appreciated. S.T.
Attachment:
simont.vcf
Description: Card for Simon Tamás
Current thread:
- Apache ap_getpass vulnerability Simon Tamás (Nov 02)
- Re: Apache ap_getpass vulnerability Jon Paul, Nollmann (Nov 03)
- Re: Apache ap_getpass vulnerability Simon Tamás (Nov 03)
- Re: Apache ap_getpass vulnerability Jon Paul, Nollmann (Nov 04)
- Re: Apache ap_getpass vulnerability Pavel Kankovsky (Nov 05)
- Re: Apache ap_getpass vulnerability Simon Tamás (Nov 07)
- Re: Apache ap_getpass vulnerability Peter Pentchev (Nov 05)
- Re: Apache ap_getpass vulnerability Simon Tamás (Nov 04)
- Re: Apache ap_getpass vulnerability Peter Pentchev (Nov 05)
- Re: Apache ap_getpass vulnerability Carson Gaspar (Nov 06)
- Re: Apache ap_getpass vulnerability Jon Paul, Nollmann (Nov 06)
- Re: Apache ap_getpass vulnerability Carson Gaspar (Nov 06)
- Re: Apache ap_getpass vulnerability Michael H. Warfield (Nov 07)
- Re: Apache ap_getpass vulnerability Jon Paul, Nollmann (Nov 07)
- Re: Apache ap_getpass vulnerability Lincoln Yeoh (Nov 08)
- Re: Apache ap_getpass vulnerability Bluefish (P.Magnusson) (Nov 10)
- Re: Apache ap_getpass vulnerability Simon Tamás (Nov 03)
- Re: Apache ap_getpass vulnerability Jon Paul, Nollmann (Nov 03)
- Re: Apache ap_getpass vulnerability Bluefish (P.Magnusson) (Nov 06)