Bug 48934 (CVE-2004-0041) - VUL-0: CVE-2004-0041: mod_auth_shadow: did not check expiration date
Summary: VUL-0: CVE-2004-0041: mod_auth_shadow: did not check expiration date
Status: RESOLVED FIXED
Alias: CVE-2004-0041
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: All Linux
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Thomas Biege
QA Contact: Security Team bot
URL:
Whiteboard: CVE-2004-0041: CVSS v2 Base Score: 7....
Keywords:
Depends on:
Blocks:
 
Reported: 2004-01-13 17:38 UTC by Thomas Biege
Modified: 2021-09-30 15:17 UTC (History)
1 user (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Proposed patch, extracted from fixed Debian package and seperated from another patch (1.95 KB, patch)
2004-02-06 20:59 UTC, Peter Poeml 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Biege 2004-01-13 17:38:27 UTC 
Hi Peter, 
Debian reported the following: 
- -------------------------------------------------------------------------- 
Debian Security Advisory DSA 421-1                     security@debian.org 
http://www.debian.org/security/                             Matt Zimmerman 
January 12th, 2004                      http://www.debian.org/security/faq 
- -------------------------------------------------------------------------- 
 
Package        : mod-auth-shadow 
Vulnerability  : password expiration 
Problem-Type   : remote 
Debian-specific: no 
CVE Ids        : CAN-2004-0041 
 
David B Harris discovered a problem with mod-auth-shadow, an Apache 
module which authenticates users against the system shadow password 
database, where the expiration status of the user's account and 
password were not enforced.  This vulnerability would allow an 
otherwise authorized user to successfully authenticate, when the 
attempt should be rejected due to the expiration parameters. 
 
For the current stable distribution (woody) this problem has been 
fixed in version 1.3-3.1woody.1 
 
For the unstable distribution (sid) this problem has been fixed in 
version 1.4-1. 
 
We recommend that you update your mod-auth-shadow package. 
--- 
 
The advisory is not online yet. 
http://www.debian.org/security/2004/dsa-421
Comment 1 Thomas Biege 2004-01-13 17:38:27 UTC 
<!-- SBZ_reproduce  -->
-
Comment 2 Thomas Biege 2004-01-13 17:39:05 UTC 
Maybe this could be fixed together with mod_gzip.
Comment 3 Peter Poeml 2004-01-13 18:35:48 UTC 
Yes, good idea.
Comment 4 Peter Poeml 2004-02-06 20:59:00 UTC 
Created attachment 15899 [details]
Proposed patch, extracted from fixed Debian package and seperated from another patch
Comment 5 Peter Poeml 2004-02-07 01:34:25 UTC 
Reproduced the problem with our package, 

  ==> /var/log/httpd/access_log <==
  10.0.8.6 - too_old [06/Feb/2004:18:28:59 +0100] "GET /auth_shadow/ HTTP/1.0" 200 243


and verified that the fix resolves it:

  ==> /var/log/httpd/access_log <==
  10.0.8.6 - too_old [06/Feb/2004:18:31:53 +0100] "GET /auth_shadow/ HTTP/1.0" 401 466
  
  ==> /var/log/httpd/error_log <==
  /usr/sbin/validate: User too_old: account expired
  [Fri Feb  6 18:31:53 2004] [error] (29)Illegal seek: access to /auth_shadow/ failed for 10.0.8.6, reason: Invalid password entered for user too_old
Comment 6 Peter Poeml 2004-02-10 18:48:22 UTC 
The fix is now applied and checked in in all our apache-contrib
packages.
Comment 7 Peter Poeml 2004-02-11 22:33:51 UTC 
Thomas, I reassign to you for further processing.
Comment 8 Thomas Biege 2004-02-23 22:25:40 UTC 
packages approved.
Comment 9 Thomas Biege 2004-02-23 22:26:24 UTC 
done.
Comment 10 Thomas Biege 2009-10-13 19:48:51 UTC 
CVE-2004-0041: CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)