Vulnerability Development mailing list archives
Re: Apache ap_getpass vulnerability
From: "Jon Paul, Nollmann" <sinster () DARKWATER COM>
Date: Thu, 2 Nov 2000 19:47:50 -0800
You have an apache module that communicates via SSL with some other server.
[...]
The private key is usually password protected.
In my experience, the private key is almost never password protected. Reason: since eventually getpass() gets called to read the password, there is no way to redirect this information from a file. That means that it is impossible for the webserver to restart unattended: it will hang waiting for the password to be input, or error-out because there is no controlling terminal (as would be the case of a startup from /etc/rc or its subscripts), and therefore the open of /dev/tty will fail. Since its not reasonable to require the webserver to be restarted manually at every failure, and a password-protected private key requires exactly that, no (or few) people password-protect their private keys. Those few who do password-protect their private keys arrange alternate configuration mechanisms so that they don't have to wait on an admin to type the password at every startup. Otherwise, you're right: if the site depends on an admin typing a password to restart the webserver at every system boot, then the getpass() issue arises. -- Jon Paul Nollmann ne' Darren Senn sinster () balltech net Unsolicited commercial email will be archived at $1/byte/day. The optimist proclaims that we live in the best of all possible worlds; and the pessimist fears this is true. James Branch Cabell, The Silver Stallion, 1926
Current thread:
- Apache ap_getpass vulnerability Simon Tamás (Nov 02)
- Re: Apache ap_getpass vulnerability Jon Paul, Nollmann (Nov 03)
- Re: Apache ap_getpass vulnerability Simon Tamás (Nov 03)
- Re: Apache ap_getpass vulnerability Jon Paul, Nollmann (Nov 04)
- Re: Apache ap_getpass vulnerability Pavel Kankovsky (Nov 05)
- Re: Apache ap_getpass vulnerability Simon Tamás (Nov 07)
- Re: Apache ap_getpass vulnerability Peter Pentchev (Nov 05)
- Re: Apache ap_getpass vulnerability Simon Tamás (Nov 04)
- Re: Apache ap_getpass vulnerability Peter Pentchev (Nov 05)
- Re: Apache ap_getpass vulnerability Carson Gaspar (Nov 06)
- Re: Apache ap_getpass vulnerability Jon Paul, Nollmann (Nov 06)
- Re: Apache ap_getpass vulnerability Carson Gaspar (Nov 06)
- Re: Apache ap_getpass vulnerability Michael H. Warfield (Nov 07)
- Re: Apache ap_getpass vulnerability Jon Paul, Nollmann (Nov 07)
- Re: Apache ap_getpass vulnerability Simon Tamás (Nov 03)
- Re: Apache ap_getpass vulnerability Jon Paul, Nollmann (Nov 03)