Skip Menu |

This queue is for tickets about the Apache-AuthenHook CPAN distribution.

Report information
The Basics
Id: 62040
Status: open
Priority: 0/
Queue: Apache-AuthenHook
People
Owner: Nobody in particular
Requestors: 599712 [...] bugs.debian.org
Cc:
AdminCc:
Bug Information
Severity: Important
Broken in: 2.00_04
Fixed in: (no value)

History Show all quoted text
  Mon Oct 11 01:02:56 2010 ivan-pause [...] 420.am - Ticket created
Subject: leaks passwords to the logs
Apache::AuthenHook seemingly logs _all_ usernames and passwords, in clear text, to the vhost's error log: ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, "Apache::AuthenHook - user '%s', password '%s' verified", user, password); As far as I can see, this behavior is not documented, and impossible to turn off (it's hard-coded in the C file) except by raising the log level. I've verified that they do indeed show up in the vhost's logs: [Sun Oct 10 13:18:45 2010] [info] [client 80.218.213.43] Apache::AuthenHook - user 'Sesse', password '<censored for this bug Show quoted text
report>' verified
There's no good reason for this except for debugging, and even in that case, it should only be possible to enable for the Apache admin.
  Mon Oct 11 01:12:02 2010 ivan-pause [...] 420.am - Correspondence added
Subject: [PATCH] leaks passwords to the logs
Here is a simple fix for this issue. I opted to keep the messages and just omit the password.
Subject: AuthenHook.patch
Index: AuthenHook.xs =================================================================== --- AuthenHook.xs (revision 63560) +++ AuthenHook.xs (working copy) @@ -180,8 +180,8 @@ case OK: ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, - "Apache::AuthenHook - user '%s', password '%s' verified", - user, password); + "Apache::AuthenHook - user '%s' verified", + user); status = AUTH_GRANTED; break; @@ -196,8 +196,8 @@ default: ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, - "Apache::AuthenHook - user '%s', password '%s' denied", - user, password); + "Apache::AuthenHook - user '%s' denied", + user); status = AUTH_DENIED; };
  Mon Oct 11 01:12:03 2010 The RT System itself - Status changed from 'new' to 'open'
  Mon Oct 11 01:15:11 2010 599712 [...] bugs.debian.org - Correspondence added
Subject: Bug#599712: Info received ([rt.cpan.org #62040] [PATCH] leaks passwords to the logs )
Date: Mon, 11 Oct 2010 05:15:03 +0000
To: bug-Apache-AuthenHook [...] rt.cpan.org
From: owner [...] bugs.debian.org (Debian Bug Tracking System)
Thank you for the additional information you have supplied regarding this Bug report. This is an automatically generated reply to let you know your message has been received. Your message is being forwarded to the package maintainers and other interested parties for their attention; they will reply in due course. Your message has been sent to the package maintainer(s): Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org> If you wish to submit further information on this problem, please send it to 599712@bugs.debian.org. Please do not send mail to owner@bugs.debian.org unless you wish to report a problem with the Bug-tracking system. -- 599712: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=599712 Debian Bug Tracking System Contact owner@bugs.debian.org with problems