www-apache-bugdb mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Matthew Reimer <mrei...@vpop.net>
Subject other/1946: htpasswd doesn't properly terminate the salt before calling crypt()
Date Fri, 13 Mar 1998 21:12:09 GMT

>Number:         1946
>Category:       other
>Synopsis:       htpasswd doesn't properly terminate the salt before calling crypt()
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    apache
>State:          open
>Class:          support
>Submitter-Id:   apache
>Arrival-Date:   Fri Mar 13 13:20:01 PST 1998
>Last-Modified:
>Originator:     mreimer@vpop.net
>Organization:
apache
>Release:        1.2.5
>Environment:
FreeBSD 2.2.6-BETA
gcc 2.7.2.1
>Description:
Passwords generated by htpasswd incorrent because the salt is not properly
terminated before calling crypt(). This shows up when htpasswd is linked against
libdescrypt.so.2.0.
>How-To-Repeat:
Use htpasswd to generate a DES password, and then try to use that password.
>Fix:
This one-line patch:

*** /www/apache/support/htpasswd.c      Sun Jun  9 16:50:13 1996
--- htpasswd.c  Fri Mar 13 13:00:43 1998
***************
*** 93,98 ****
--- 93,99 ----
      }
      (void)srand((int)time((time_t *)NULL));
      to64(&salt[0],rand(),2);
+     salt[2] = '\0';
      cpw = crypt(pw,salt);
      free(pw);
      fprintf(f,"%s:%s\n",user,cpw);

%0
>Audit-Trail:
>Unformatted:
[In order for any reply to be added to the PR database, ]
[you need to include <apbugs@Apache.Org> in the Cc line ]
[and leave the subject line UNCHANGED.  This is not done]
[automatically because of the potential for mail loops. ]




Mime
View raw message