Vulnerability Development mailing list archives

Re: Apache ap_getpass vulnerability

From: Pavel Kankovsky <peak () ARGO TROJA MFF CUNI CZ>
Date: Thu, 2 Nov 2000 20:36:04 +0100

On Sun, 2 Jan 2000, Simon Tamás wrote:

Unless this is done somebody who gets access to the webserver machine,
and therefore can read the private-key file, can also crash the Apache
in such a way that he can read the password from memory. All he has to
know is where the static char* inside getpass is in memory.


The same memory space where the decrypted private key is stored and ready
to be extracted the same way you would extract the password, right?

--Pavel Kankovsky aka Peak  [ Boycott Microsoft--http://www.vcnet.com/bms ]
"Resistance is futile. Open your source code and prepare for assimilation."

Current thread:

Apache ap_getpass vulnerability Simon Tamás (Nov 02)
- Re: Apache ap_getpass vulnerability Jon Paul, Nollmann (Nov 03)
  - Re: Apache ap_getpass vulnerability Simon Tamás (Nov 03)
    - Re: Apache ap_getpass vulnerability Jon Paul, Nollmann (Nov 04)
    - Re: Apache ap_getpass vulnerability Pavel Kankovsky (Nov 05)
    - Re: Apache ap_getpass vulnerability Simon Tamás (Nov 07)
    - Re: Apache ap_getpass vulnerability Peter Pentchev (Nov 05)
    - Re: Apache ap_getpass vulnerability Simon Tamás (Nov 04)
    - Re: Apache ap_getpass vulnerability Peter Pentchev (Nov 05)
    - Re: Apache ap_getpass vulnerability Carson Gaspar (Nov 06)
    - Re: Apache ap_getpass vulnerability Jon Paul, Nollmann (Nov 06)
    - Re: Apache ap_getpass vulnerability Carson Gaspar (Nov 06)
    - Re: Apache ap_getpass vulnerability Michael H. Warfield (Nov 07)
    - Re: Apache ap_getpass vulnerability Jon Paul, Nollmann (Nov 07)
    - Re: Apache ap_getpass vulnerability Lincoln Yeoh (Nov 08)

(Thread continues...)