Bug#469271: apache2-utils: htpasswd salt generation weakness
Package: apache2-utils
Version: 2.2.3-4+etch4
Severity: normal
According to
https://issues.apache.org/bugzilla/show_bug.cgi?id=31440
and
http://www.heise.de/newsticker/meldung/103666/
(sorry german only, but does contain example how to reproduce the
problem)
htpasswd does weak password salt generation.
I was able to reproduce this in apache2-utils from etch as stated above
and apache2-utils 2.2.8-1 from lenny. It looks like this:
ms@mango> htpasswd -nbm user1 pass1; htpasswd -nbm user2 pass2;
htpasswd -nbm user3 pass2 ~
user1:$apr1$FdloI/..$ZD62Y2byC.oAk4AtzmYSY1
user2:$apr1$FdloI/..$HHJ6g9cEnxWFLUV1Rr/W6/
user3:$apr1$FdloI/..$HHJ6g9cEnxWFLUV1Rr/W6/
The password salt, according to the heise newsticker article, that
"FdloI/.." in above example is same in all three cases.
There is a patch available in above apache bug report.
IMHO this should be fixed for unstable and etch.
I am not sure about the severity of the report. Since it doesn't
introduce a security hole just by installing the package and it
doesn't introduce a security hole to get access to POSIX accounts,
but it does intruduce some sort of security issue, I marked it as
serious. Feel free to change severity as you think is approbiate.
-- System Information:
Debian Release: 4.0
APT prefers stable
APT policy: (500, 'stable'), (1, 'testing')
Architecture: i386 (x86_64)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.22-3-amd64
Locale: LANG=de_DE@euro, LC_CTYPE=de_DE@euro (charmap=ISO-8859-15)
Versions of packages apache2-utils depends on:
ii lib 1.2.7-8.2 The Apache Portable Runtime Librar
ii lib 1.2.7+dfsg-2 The Apache Portable Runtime Utilit
ii lib 2.3.6.ds1-13etch5 GNU C Library: Shared libraries
ii lib 4.4.20-8 Berkeley v4.4 Database Libraries [
ii lib 1.95.8-3.4 XML parsing C library - runtime li
ii lib 2.1.30-13.3 OpenLDAP libraries
ii lib 6.7+7.4-3 Perl 5 Compatible Regular Expressi
ii lib 8.1.11-0etch1 PostgreSQL C client library
ii lib 3.3.8-1.1 SQLite 3 shared library
ii lib 0.9.8c-4etch1 SSL shared libraries
ii lib 1.39+1.40-WIP-2006.11.14+dfsg-2etch1 universally unique id library
apache2-utils recommends no packages.
-- no debconf information
Reply to: