Bug#599712: libapache-authenhook-perl: leaks passwords to the logs
Steinar H. Gunderson
sgunderson at bigfoot.com
Sun Oct 10 11:27:46 UTC 2010
Package: libapache-authenhook-perl
Version: 2.00-04+pristine-1+b1
Severity: grave
Tags: security
Justification: user security hole
Apache::AuthenHook seemingly logs _all_ usernames and passwords, in clear text,
to the vhost's error log:
ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
"Apache::AuthenHook - user '%s', password '%s' verified",
user, password);
As far as I can see, this behavior is not documented, and impossible to turn
off (it's hard-coded in the C file) except by raising the log level.
I've verified that they do indeed show up in the vhost's logs:
[Sun Oct 10 13:18:45 2010] [info] [client 80.218.213.43] Apache::AuthenHook - user 'Sesse', password '<censored for this bug report>' verified
There's no good reason for this except for debugging, and even in that case,
it should only be possible to enable for the Apache admin.
-- System Information:
Debian Release: squeeze/sid
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.35 (SMP w/1 CPU core)
Locale: LANG=en_DK.UTF-8, LC_CTYPE=en_DK.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
More information about the pkg-perl-maintainers
mailing list