Vulnerability Development mailing list archives
Re: Apache ap_getpass vulnerability
From: Pavel Kankovsky <peak () ARGO TROJA MFF CUNI CZ>
Date: Thu, 2 Nov 2000 20:36:04 +0100
On Sun, 2 Jan 2000, Simon Tamás wrote:
Unless this is done somebody who gets access to the webserver machine, and therefore can read the private-key file, can also crash the Apache in such a way that he can read the password from memory. All he has to know is where the static char* inside getpass is in memory.
The same memory space where the decrypted private key is stored and ready to be extracted the same way you would extract the password, right? --Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ] "Resistance is futile. Open your source code and prepare for assimilation."
Current thread:
- Apache ap_getpass vulnerability Simon Tamás (Nov 02)
- Re: Apache ap_getpass vulnerability Jon Paul, Nollmann (Nov 03)
- Re: Apache ap_getpass vulnerability Simon Tamás (Nov 03)
- Re: Apache ap_getpass vulnerability Jon Paul, Nollmann (Nov 04)
- Re: Apache ap_getpass vulnerability Pavel Kankovsky (Nov 05)
- Re: Apache ap_getpass vulnerability Simon Tamás (Nov 07)
- Re: Apache ap_getpass vulnerability Peter Pentchev (Nov 05)
- Re: Apache ap_getpass vulnerability Simon Tamás (Nov 04)
- Re: Apache ap_getpass vulnerability Peter Pentchev (Nov 05)
- Re: Apache ap_getpass vulnerability Carson Gaspar (Nov 06)
- Re: Apache ap_getpass vulnerability Jon Paul, Nollmann (Nov 06)
- Re: Apache ap_getpass vulnerability Carson Gaspar (Nov 06)
- Re: Apache ap_getpass vulnerability Michael H. Warfield (Nov 07)
- Re: Apache ap_getpass vulnerability Jon Paul, Nollmann (Nov 07)
- Re: Apache ap_getpass vulnerability Lincoln Yeoh (Nov 08)
- Re: Apache ap_getpass vulnerability Simon Tamás (Nov 03)
- Re: Apache ap_getpass vulnerability Jon Paul, Nollmann (Nov 03)