Steinar H. Gunderson
2010-Oct-10 11:27 UTC
[Secure-testing-team] Bug#599712: libapache-authenhook-perl: leaks passwords to the logs
Package: libapache-authenhook-perl
Version: 2.00-04+pristine-1+b1
Severity: grave
Tags: security
Justification: user security hole
Apache::AuthenHook seemingly logs _all_ usernames and passwords, in clear text,
to the vhost''s error log:
ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
"Apache::AuthenHook - user ''%s'',
password ''%s'' verified",
user, password);
As far as I can see, this behavior is not documented, and impossible to turn
off (it''s hard-coded in the C file) except by raising the log level.
I''ve verified that they do indeed show up in the vhost''s logs:
[Sun Oct 10 13:18:45 2010] [info] [client 80.218.213.43] Apache::AuthenHook -
user ''Sesse'', password ''<censored for this bug
report>'' verified
There''s no good reason for this except for debugging, and even in that
case,
it should only be possible to enable for the Apache admin.
-- System Information:
Debian Release: squeeze/sid
APT prefers unstable
APT policy: (500, ''unstable'')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.35 (SMP w/1 CPU core)
Locale: LANG=en_DK.UTF-8, LC_CTYPE=en_DK.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash