libapache-authenhook-perl: leaks passwords to the logs

Debian Bug report logs - #599712
libapache-authenhook-perl: leaks passwords to the logs

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: "Steinar H. Gunderson" <sgunderson@bigfoot.com>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: libapache-authenhook-perl: leaks passwords to the logs

Date: Sun, 10 Oct 2010 13:27:46 +0200

Package: libapache-authenhook-perl
Version: 2.00-04+pristine-1+b1
Severity: grave
Tags: security
Justification: user security hole

Apache::AuthenHook seemingly logs _all_ usernames and passwords, in clear text,
to the vhost's error log:

      ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
                    "Apache::AuthenHook - user '%s', password '%s' verified",
                    user, password);

As far as I can see, this behavior is not documented, and impossible to turn
off (it's hard-coded in the C file) except by raising the log level.
I've verified that they do indeed show up in the vhost's logs:

  [Sun Oct 10 13:18:45 2010] [info] [client 80.218.213.43] Apache::AuthenHook - user 'Sesse', password '<censored for this bug report>' verified

There's no good reason for this except for debugging, and even in that case,
it should only be possible to enable for the Apache admin.

-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.35 (SMP w/1 CPU core)
Locale: LANG=en_DK.UTF-8, LC_CTYPE=en_DK.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Message #10 received at 599712@bugs.debian.org (full text, mbox, reply):

From: "Ivan Kohler via RT" <bug-Apache-AuthenHook@rt.cpan.org>

To: 599712@bugs.debian.org

Subject: [rt.cpan.org #62040] [PATCH] leaks passwords to the logs

Date: Mon, 11 Oct 2010 01:12:03 -0400

[Message part 1 (text/plain, inline)]

<URL: https://rt.cpan.org/Ticket/Display.html?id=62040 >

Here is a simple fix for this issue.  I opted to keep the messages and
just omit the password.

[AuthenHook.patch (text/x-patch, inline)]

Index: AuthenHook.xs
===================================================================
--- AuthenHook.xs	(revision 63560)
+++ AuthenHook.xs	(working copy)
@@ -180,8 +180,8 @@
 
     case OK:
       ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
-                    "Apache::AuthenHook - user '%s', password '%s' verified",
-                    user, password);
+                    "Apache::AuthenHook - user '%s' verified",
+                    user);
 
       status = AUTH_GRANTED;
       break;
@@ -196,8 +196,8 @@
 
     default:
       ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
-                    "Apache::AuthenHook - user '%s', password '%s' denied",
-                    user, password);
+                    "Apache::AuthenHook - user '%s' denied",
+                    user);
 
       status = AUTH_DENIED;
   };

Message #15 received at 599712@bugs.debian.org (full text, mbox, reply):

From: "Bugs in Apache-AuthenHook via RT" <bug-Apache-AuthenHook@rt.cpan.org>

To: 599712@bugs.debian.org

Subject: [rt.cpan.org #62040] AutoReply: leaks passwords to the logs

Date: Mon, 11 Oct 2010 01:02:56 -0400

Greetings,

This message has been automatically generated in response to the
creation of a trouble ticket regarding:
	"leaks passwords to the logs", 
a summary of which appears below.

There is no need to reply to this message right now.  Your ticket has been
assigned an ID of [rt.cpan.org #62040].  Your ticket is accessible
on the web at:

    https://rt.cpan.org/Ticket/Display.html?id=62040

Please include the string:

         [rt.cpan.org #62040]

in the subject line of all future correspondence about this issue. To do so, 
you may reply to this message.

                        Thank you,
                        bug-Apache-AuthenHook@rt.cpan.org

-------------------------------------------------------------------------
Apache::AuthenHook seemingly logs _all_ usernames and passwords, in
clear text, to the vhost's error log:

 ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
               "Apache::AuthenHook - user '%s', password '%s' verified",
               user, password);

As far as I can see, this behavior is not documented, and impossible to
turn off (it's hard-coded in the C file) except by raising the log
level.  I've verified that they do indeed show up in the vhost's logs:

  [Sun Oct 10 13:18:45 2010] [info] [client 80.218.213.43]
Apache::AuthenHook - user 'Sesse', password '<censored for this bug
report>' verified

There's no good reason for this except for debugging, and even in that
case, it should only be possible to enable for the Apache admin.

Message #18 received at 599712@bugs.debian.org (full text, mbox, reply):

From: pkg-perl-maintainers@lists.alioth.debian.org

To: 599712@bugs.debian.org, 599712-submitter@bugs.debian.org

Subject: Bug in libapache-authenhook-perl fixed in revision 63561

Date: Mon, 11 Oct 2010 05:37:17 +0000

tag 599712 + pending
thanks

Some bugs are closed in revision 63561
by Ivan Kohler (ivan)

Commit message:

Remove passwords from log messages (Closes: #599712)

Message #28 received at 599712-close@bugs.debian.org (full text, mbox, reply):

From: Ivan Kohler <ivan-debian@420.am>

To: 599712-close@bugs.debian.org

Subject: Bug#599712: fixed in libapache-authenhook-perl 2.00-04+pristine-2

Date: Mon, 11 Oct 2010 05:47:06 +0000

Source: libapache-authenhook-perl
Source-Version: 2.00-04+pristine-2

We believe that the bug you reported is fixed in the latest version of
libapache-authenhook-perl, which is due to be installed in the Debian FTP archive:

libapache-authenhook-perl_2.00-04+pristine-2.diff.gz
  to main/liba/libapache-authenhook-perl/libapache-authenhook-perl_2.00-04+pristine-2.diff.gz
libapache-authenhook-perl_2.00-04+pristine-2.dsc
  to main/liba/libapache-authenhook-perl/libapache-authenhook-perl_2.00-04+pristine-2.dsc
libapache-authenhook-perl_2.00-04+pristine-2_amd64.deb
  to main/liba/libapache-authenhook-perl/libapache-authenhook-perl_2.00-04+pristine-2_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 599712@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ivan Kohler <ivan-debian@420.am> (supplier of updated libapache-authenhook-perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 10 Oct 2010 22:21:46 -0700
Source: libapache-authenhook-perl
Binary: libapache-authenhook-perl
Architecture: source amd64
Version: 2.00-04+pristine-2
Distribution: unstable
Urgency: low
Maintainer: Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>
Changed-By: Ivan Kohler <ivan-debian@420.am>
Description: 
 libapache-authenhook-perl - Perl API for Apache 2.1 authentication
Closes: 599712
Changes: 
 libapache-authenhook-perl (2.00-04+pristine-2) unstable; urgency=low
 .
   [ gregor herrmann ]
   * debian/control: Changed: Switched Vcs-Browser field to ViewSVN
     (source stanza).
 .
   [ Ivan Kohler ]
   * Remove passwords from log messages (Closes: #599712)
   * Add myself to Uploaders:
Checksums-Sha1: 
 cf9f39ccb2325954d25cd746003bc32f311d16e9 1637 libapache-authenhook-perl_2.00-04+pristine-2.dsc
 5f32caba35cd4c95966ee8d553a12c5ac136e6fb 3053 libapache-authenhook-perl_2.00-04+pristine-2.diff.gz
 f8e6ef9224ec7cd4160afb638702940aa14e9d0b 16272 libapache-authenhook-perl_2.00-04+pristine-2_amd64.deb
Checksums-Sha256: 
 a0a162c2cdd8a57ffca7b40f0b89c935ca49775ddbaee8c506b0593e9fc8669d 1637 libapache-authenhook-perl_2.00-04+pristine-2.dsc
 05e04764f0bdf22f84207d83dc7166fef6f5fc57f9364dfddeee0b94d279eaf5 3053 libapache-authenhook-perl_2.00-04+pristine-2.diff.gz
 9e3d2e4978868ee527e607acd78ae21e2436bb53dce1a70877ff76a687bd9fff 16272 libapache-authenhook-perl_2.00-04+pristine-2_amd64.deb
Files: 
 d597300c97408461bd514f9656c85eb4 1637 perl optional libapache-authenhook-perl_2.00-04+pristine-2.dsc
 00d68dbf2421d1957961ccddcf92dceb 3053 perl optional libapache-authenhook-perl_2.00-04+pristine-2.diff.gz
 fa99813cec78414613d68883ef00b544 16272 perl optional libapache-authenhook-perl_2.00-04+pristine-2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAkyyotUACgkQgYcvm1TBwckLQwCfRnWc+24VStuGd5K8t1u5tXZn
2BwAnirwulqA9SzVASNALBxBjfYNlm1t
=Tkjf
-----END PGP SIGNATURE-----

Message #33 received at 599712@bugs.debian.org (full text, mbox, reply):

From: Gerfried Fuchs <rhonda@deb.at>

To: Ivan Kohler <ivan-debian@420.am>

Cc: 599712@bugs.debian.org

Subject: Re: Bug#599712: fixed in libapache-authenhook-perl 2.00-04+pristine-2

Date: Wed, 13 Oct 2010 13:29:30 +0200

        Hi!

* Ivan Kohler <ivan-debian@420.am> [2010-10-11 07:47:06 CEST]:
>    [ Ivan Kohler ]
>    * Remove passwords from log messages (Closes: #599712)
>    * Add myself to Uploaders:

 As the fix for this bug is a pretty small one it would be really good
when you are pushing the fix also into the stable release, the bug is
still outstanding for lenny.

 If you need help with that, please let me know.
Rhonda
-- 
https://flattr.com/thing/47066/Debian-BTS-cleaning-up

Message #36 received at 599712@bugs.debian.org (full text, mbox, reply):

From: Ansgar Burchardt <ansgar@43-1.org>

To: team@security.debian.org

Cc: 599712@bugs.debian.org

Subject: Re: Bug#599712: libapache-authenhook-perl: leaks passwords to the logs

Date: Wed, 13 Oct 2010 16:30:26 +0200

[Message part 1 (text/plain, inline)]

Hi,

libapache-authenhook-perl logs passwords in Apache's error.log if the
log level is >= info[1].  I prepared an update for Lenny including the
same patch used for testing/unstable (already unblocked[2] as well).

Should this go through stable-security or does the security team see
this as a minor issue that should be fixed in the next point release?
In the former case, shall I upload a package based on the attached patch
to stable-security?

Regards,
Ansgar

[1] <http://bugs.debian.org/599712>
[2] <http://bugs.debian.org/599779>

[libapache-authenhook-perl-lenny.diff (text/x-diff, inline)]

Index: debian/changelog
===================================================================
--- debian/changelog	(revision 63673)
+++ debian/changelog	(working copy)
@@ -1,3 +1,9 @@
+libapache-authenhook-perl (2.00-04+pristine-1+lenny1) stable-security; urgency=high
+
+  * Remove passwords from log messages. (Closes: #599712)
+
+ -- Ansgar Burchardt <ansgar@debian.org>  Wed, 13 Oct 2010 15:36:05 +0200
+
 libapache-authenhook-perl (2.00-04+pristine-1) unstable; urgency=low
 
   [ gregor herrmann ]
Index: AuthenHook.xs
===================================================================
--- AuthenHook.xs	(revision 63673)
+++ AuthenHook.xs	(working copy)
@@ -180,8 +180,8 @@
 
     case OK:
       ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
-                    "Apache::AuthenHook - user '%s', password '%s' verified",
-                    user, password);
+                    "Apache::AuthenHook - user '%s' verified",
+                    user);
 
       status = AUTH_GRANTED;
       break;
@@ -196,8 +196,8 @@
 
     default:
       ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
-                    "Apache::AuthenHook - user '%s', password '%s' denied",
-                    user, password);
+                    "Apache::AuthenHook - user '%s' denied",
+                    user);
 
       status = AUTH_DENIED;
   };

Message #39 received at 599712@bugs.debian.org (full text, mbox, reply):

From: pkg-perl-maintainers@lists.alioth.debian.org

To: 599712@bugs.debian.org, 599712-submitter@bugs.debian.org

Subject: Bug in fixed in revision 63676

Date: Wed, 13 Oct 2010 14:31:17 +0000

tag 599712 + pending
thanks

Some bugs are closed in revision 63676
by Ansgar Burchardt (ansgar)

Commit message:

Remove passwords from log messages. (Closes: #599712)

Message #49 received at 599712@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: Ansgar Burchardt <ansgar@43-1.org>

Cc: team@security.debian.org, 599712@bugs.debian.org

Subject: Re: Bug#599712: libapache-authenhook-perl: leaks passwords to the logs

Date: Wed, 13 Oct 2010 19:34:39 +0200

On Wed, Oct 13, 2010 at 04:30:26PM +0200, Ansgar Burchardt wrote:
> Hi,
> 
> libapache-authenhook-perl logs passwords in Apache's error.log if the
> log level is >= info[1].  I prepared an update for Lenny including the
> same patch used for testing/unstable (already unblocked[2] as well).
> 
> Should this go through stable-security or does the security team see
> this as a minor issue that should be fixed in the next point release?
> In the former case, shall I upload a package based on the attached patch
> to stable-security?

Since the impact is minor, please fix it through a point update.

I'll request a CVE ID for it and keep you CCed, maybe you can
hold off the upload for a few days until it's available? (The
next point update will take a few weeks anyway)

Cheers,
        Moritz

Message #54 received at 599712@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: Ansgar Burchardt <ansgar@43-1.org>

Cc: team@security.debian.org, 599712@bugs.debian.org

Subject: Re: Bug#599712: libapache-authenhook-perl: leaks passwords to the logs

Date: Wed, 13 Oct 2010 22:40:59 +0200

On Wed, Oct 13, 2010 at 07:34:39PM +0200, Moritz Muehlenhoff wrote:
> On Wed, Oct 13, 2010 at 04:30:26PM +0200, Ansgar Burchardt wrote:
> > Hi,
> > 
> > libapache-authenhook-perl logs passwords in Apache's error.log if the
> > log level is >= info[1].  I prepared an update for Lenny including the
> > same patch used for testing/unstable (already unblocked[2] as well).
> > 
> > Should this go through stable-security or does the security team see
> > this as a minor issue that should be fixed in the next point release?
> > In the former case, shall I upload a package based on the attached patch
> > to stable-security?
> 
> Since the impact is minor, please fix it through a point update.
> 
> I'll request a CVE ID for it and keep you CCed, maybe you can
> hold off the upload for a few days until it's available? (The
> next point update will take a few weeks anyway)

CVE-2010-3845

Cheers,
         Moritz

Message #57 received at 599712@bugs.debian.org (full text, mbox, reply):

From: Ansgar Burchardt <ansgar@43-1.org>

To: Moritz Muehlenhoff <jmm@inutil.org>

Cc: 599712@bugs.debian.org

Subject: Re: Bug#599712: libapache-authenhook-perl: leaks passwords to the logs

Date: Wed, 13 Oct 2010 23:04:04 +0200

Moritz Muehlenhoff <jmm@inutil.org> writes:

> On Wed, Oct 13, 2010 at 04:30:26PM +0200, Ansgar Burchardt wrote:
>> libapache-authenhook-perl logs passwords in Apache's error.log if the
>> log level is >= info[1].  I prepared an update for Lenny including the
>> same patch used for testing/unstable (already unblocked[2] as well).
>> 
>> Should this go through stable-security or does the security team see
>> this as a minor issue that should be fixed in the next point release?
>> In the former case, shall I upload a package based on the attached patch
>> to stable-security?
>
> Since the impact is minor, please fix it through a point update.
>
> I'll request a CVE ID for it and keep you CCed, maybe you can
> hold off the upload for a few days until it's available? (The
> next point update will take a few weeks anyway)

Sure.  I'll prepare an upload and contact the stable release team once I
get the CVE ID.

Regards,
Ansgar

Message #62 received at 599712-close@bugs.debian.org (full text, mbox, reply):

From: Ansgar Burchardt <ansgar@debian.org>

To: 599712-close@bugs.debian.org

Subject: Bug#599712: fixed in libapache-authenhook-perl 2.00-04+pristine-1+lenny1

Date: Sat, 23 Oct 2010 19:54:40 +0000

Source: libapache-authenhook-perl
Source-Version: 2.00-04+pristine-1+lenny1

We believe that the bug you reported is fixed in the latest version of
libapache-authenhook-perl, which is due to be installed in the Debian FTP archive:

libapache-authenhook-perl_2.00-04+pristine-1+lenny1.diff.gz
  to main/liba/libapache-authenhook-perl/libapache-authenhook-perl_2.00-04+pristine-1+lenny1.diff.gz
libapache-authenhook-perl_2.00-04+pristine-1+lenny1.dsc
  to main/liba/libapache-authenhook-perl/libapache-authenhook-perl_2.00-04+pristine-1+lenny1.dsc
libapache-authenhook-perl_2.00-04+pristine-1+lenny1_amd64.deb
  to main/liba/libapache-authenhook-perl/libapache-authenhook-perl_2.00-04+pristine-1+lenny1_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 599712@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ansgar Burchardt <ansgar@debian.org> (supplier of updated libapache-authenhook-perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 13 Oct 2010 23:17:55 +0200
Source: libapache-authenhook-perl
Binary: libapache-authenhook-perl
Architecture: amd64 source
Version: 2.00-04+pristine-1+lenny1
Distribution: stable
Urgency: high
Maintainer: Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>
Changed-By: Ansgar Burchardt <ansgar@debian.org>
Closes: 599712
Description: 
 libapache-authenhook-perl - Perl API for Apache 2.1 authentication
Changes: 
 libapache-authenhook-perl (2.00-04+pristine-1+lenny1) stable; urgency=high
 .
   * [CVE-2010-3845] Remove passwords from log messages. (Closes: #599712)
Checksums-Sha1: 
 5ef020e618d02fc7b45a30862e22e48e236b6df9 16362 libapache-authenhook-perl_2.00-04+pristine-1+lenny1_amd64.deb
 10eee4c1e632c49b39f5ee899b52b94ddf3f98b6 2268 libapache-authenhook-perl_2.00-04+pristine-1+lenny1.dsc
 0a341963ba86764fecb2575dd1bd4500178bbc96 3000 libapache-authenhook-perl_2.00-04+pristine-1+lenny1.diff.gz
Checksums-Sha256: 
 b76e5f3330f6bb42db9bd2d00d42ef941a840845e344401b4a524fdbefd030bb 16362 libapache-authenhook-perl_2.00-04+pristine-1+lenny1_amd64.deb
 3e772e37526356a8ea40071cde884de1b7ac7a9bbce5819bfad99e9a729a439b 2268 libapache-authenhook-perl_2.00-04+pristine-1+lenny1.dsc
 76a192fa1789e6a2c46ccb53dcd808e62ffced400e65589cdf3a15b7fc7a6836 3000 libapache-authenhook-perl_2.00-04+pristine-1+lenny1.diff.gz
Files: 
 9dc5c1aa03a91a3cb988c008311cf2d6 16362 perl optional libapache-authenhook-perl_2.00-04+pristine-1+lenny1_amd64.deb
 13ab1e5b28b5e11e143ff878d77c7db2 2268 perl optional libapache-authenhook-perl_2.00-04+pristine-1+lenny1.dsc
 f842c1269f09956c92e0fc01b3faa881 3000 perl optional libapache-authenhook-perl_2.00-04+pristine-1+lenny1.diff.gz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIcBAEBCgAGBQJMwhQpAAoJEIATJTTdNH3IMfwP/AnR+iaK4iclKtkUuUz3wNSB
xWLsfrLRqGtuVNefhlDT57DhNPBt4udRvLB1It7t/POADXEpTugWD74YhtHzoHoz
mcttC+tl3K1I2VNdMPpzXTrkORGUTno5m/xpXEgqPw9408Yy7cqE/4qLnEfNOvdW
DeDJxJzm9cbc3h4AjCEjZfUpotfs5FOJiAbszkeb0UlvNatwAcExYoS9ctbhKYlL
/lP+h4MKY5kWXl3izEDHCQ3kvkBnTkBot6Y/7OamG7KOSGmbnNXH4aw9o7yiLZqe
wn6SuLpy8qxta8eiNZc1q6SIfqP8wsJD9bESZGPxVP5qF/ZH5wK7aLFBKQk/NUtm
hGRTCP28fTl2JDqshMbfNYtIyMCrow5DawC/5iFWo9IrRIW4g6VHU0VVkn78vklt
efBAVtj5xokU/6mzgfpRXeCjG3MaZh5Hg59qdBAQuauhQ+tzkQzQG6akjj5UaAGW
68hDL73yyjqbAf4nRvKY8Dr5cGG6bOWsd7AVNYuymi64lGGdgzI7n08xRPaF7I6M
uhef2rVXkEeGvauhrBGpxzVkB52EjlTN4/AaH55UJ7tFNVwjZhfWCXgJXhKdUprC
wA41gcFaXTCdhATtxu9TpUeJW/fK4gkrfpJ6GXkFWPNKghUEFDG4cHqQSGAb2/5F
G7Qt4mMBmdH0bWNdjn15
=YOTC
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.