Alexander Over
2009-Jul-30 06:27 UTC
[Secure-testing-team] Bug#539246: apache2: Incorrect password check with CRYPT
Package: apache2.2-common Version: 2.2.9-10+lenny4 Severity: grave Tags: security Justification: user security hole If you create a User/Password combination with htpasswd using the default CRYPT encryption and a password with more than 8 chars, the Website still gets you access by typing in the first 8 chars or the complete password. e.g. if you provide test42test as password, you can type in just test42te to get access. This bug affects x86 systems too. -- Package-specific info: List of enabled modules from ''apache2 -M'': alias auth_basic authn_file authnz_ldap authz_default authz_groupfile authz_host authz_user autoindex cgi deflate dir env ldap mime negotiation perl php5 python radius_auth rewrite setenvif ssl status userdir -- System Information: Debian Release: 5.0.2 APT prefers stable APT policy: (500, ''stable'') Architecture: amd64 (x86_64) Kernel: Linux 2.6.29-2-amd64 (SMP w/2 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages apache2 depends on: ii apache2-mpm-prefork 2.2.9-10+lenny4 Apache HTTP Server - traditional n apache2 recommends no packages. apache2 suggests no packages. Versions of packages apache2.2-common depends on: ii apache2-utils 2.2.9-10+lenny4 utility programs for webservers ii libapr1 1.2.12-5 The Apache Portable Runtime Librar ii libaprutil1 1.2.12+dfsg-8+lenny3 The Apache Portable Runtime Utilit ii libc6 2.7-18 GNU C Library: Shared libraries ii libmagic1 4.26-1 File type determination library us ii libssl0.9.8 0.9.8g-15+lenny1 SSL shared libraries ii lsb-base 3.2-20 Linux Standard Base 3.2 init scrip ii mime-support 3.44-1 MIME files ''mime.types'' & ''mailcap ii net-tools 1.60-22 The NET-3 networking toolkit ii perl 5.10.0-19 Larry Wall''s Practical Extraction ii procps 1:3.2.7-11 /proc file system utilities ii zlib1g 1:1.2.3.3.dfsg-12 compression library - runtime -- no debconf information