[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#469271: apache2-utils: htpasswd salt generation weakness

Package: apache2-utils
Version: 2.2.3-4+etch4
Severity: normal

According to 

https://issues.apache.org/bugzilla/show_bug.cgi?id=31440

and

http://www.heise.de/newsticker/meldung/103666/
(sorry german only, but does contain example how to reproduce the
problem)

htpasswd does weak password salt generation.

I was able to reproduce this in apache2-utils from etch as stated above
and apache2-utils 2.2.8-1 from lenny. It looks like this:

ms@mango> htpasswd -nbm user1 pass1; htpasswd -nbm user2 pass2;  
htpasswd -nbm user3 pass2                                                                                                          ~
user1:$apr1$FdloI/..$ZD62Y2byC.oAk4AtzmYSY1

user2:$apr1$FdloI/..$HHJ6g9cEnxWFLUV1Rr/W6/

user3:$apr1$FdloI/..$HHJ6g9cEnxWFLUV1Rr/W6/

The password salt, according to the heise newsticker article, that 
"FdloI/.." in above example is same in all three cases.

There is a patch available in above apache bug report.

IMHO this should be fixed for unstable and etch.

I am not sure about the severity of the report. Since it doesn't
introduce a security hole just by installing the package and it
doesn't introduce a security hole to get access to POSIX accounts,
but it does intruduce some sort of security issue, I marked it as
serious. Feel free to change severity as you think is approbiate.

-- System Information:
Debian Release: 4.0
  APT prefers stable
  APT policy: (500, 'stable'), (1, 'testing')
Architecture: i386 (x86_64)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.22-3-amd64
Locale: LANG=de_DE@euro, LC_CTYPE=de_DE@euro (charmap=ISO-8859-15)

Versions of packages apache2-utils depends on:
ii  lib 1.2.7-8.2                            The Apache Portable Runtime Librar
ii  lib 1.2.7+dfsg-2                         The Apache Portable Runtime Utilit
ii  lib 2.3.6.ds1-13etch5                    GNU C Library: Shared libraries
ii  lib 4.4.20-8                             Berkeley v4.4 Database Libraries [
ii  lib 1.95.8-3.4                           XML parsing C library - runtime li
ii  lib 2.1.30-13.3                          OpenLDAP libraries
ii  lib 6.7+7.4-3                            Perl 5 Compatible Regular Expressi
ii  lib 8.1.11-0etch1                        PostgreSQL C client library
ii  lib 3.3.8-1.1                            SQLite 3 shared library
ii  lib 0.9.8c-4etch1                        SSL shared libraries
ii  lib 1.39+1.40-WIP-2006.11.14+dfsg-2etch1 universally unique id library

apache2-utils recommends no packages.

-- no debconf information
Reply to: