Executive Summary
| Summary | |
|---|---|
| Title | New mod-auth-shadow packages fix authentication bypass |
| Informations | |||
|---|---|---|---|
| Name | DSA-844 | First vendor Publication | 2005-10-05 |
| Vendor | Debian | Last vendor Modification | 2005-10-05 |
| Severity (Vendor) | N/A | Revision | 1 |
Security-Database Scoring CVSS v3
| Cvss vector : N/A | |||
|---|---|---|---|
| Overall CVSS Score | NA | ||
| Base Score | NA | Environmental Score | NA |
| impact SubScore | NA | Temporal Score | NA |
| Exploitabality Sub Score | NA | ||
| Calculate full CVSS 3.0 Vectors scores | |||
Security-Database Scoring CVSS v2
| Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:P) | |||
|---|---|---|---|
| Cvss Base Score | 7.5 | Attack Range | Network |
| Cvss Impact Score | 6.4 | Attack Complexity | Low |
| Cvss Expoit Score | 10 | Authentication | None Required |
| Calculate full CVSS 2.0 Vectors scores | |||
Detail
| A vulnerability in mod_auth_shadow, an Apache module that lets users perform HTTP authentication against /etc/shadow, has been discovered. The module runs for all locations that use the 'require group' directive which would bypass access restrictions controlled by another authorisation mechanism, such as AuthGroupFile file, if the username is listed in the password file and in the gshadow file in the proper group and the supplied password matches against the one in the shadow file. This update requires an explicit "AuthShadow on" statement if website authentication should be checked against /etc/shadow. For the old stable distribution (woody) this problem has been fixed in version 1.3-3.1woody.2. For the stable distribution (sarge) this problem has been fixed in version 1.4-1sarge1. For the unstable distribution (sid) this problem has been fixed in version 1.4-2. We recommend that you upgrade your libapache-mod-auth-shadow package. |
Original Source
| Url : http://www.debian.org/security/2005/dsa-844 |
CPE : Common Platform Enumeration
OpenVAS Exploits
| Date | Description |
|---|---|
| 2008-01-17 | Name : Debian Security Advisory DSA 844-1 (mod-auth-shadow) File : nvt/deb_844_1.nasl |
Open Source Vulnerability Database (OSVDB)
| Id | Description |
|---|---|
| 19863 | mod_auth_shadow for Apache HTTP Server require group Authentication Bypass The Apache mod_auth_shadow module contains a flaw that may allow a remote attacker to bypass authentication. The issue is triggered when mod_auth_shadow turns itself on and cannot be turned off whenever "require group" is used. This makes it impossible to use any other authentication modules with "require group". This flaw may lead to a loss of integrity. |
Nessus® Vulnerability Scanner
| Date | Description |
|---|---|
| 2005-11-02 | Name : The remote Mandrake Linux host is missing one or more security updates. File : mandrake_MDKSA-2005-200.nasl - Type : ACT_GATHER_INFO |
| 2005-10-05 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-844.nasl - Type : ACT_GATHER_INFO |
Alert History
| Date | Informations |
|---|---|
| 2014-02-17 11:34:28 |
|
