OSVDB ID: 19863

Title: mod_auth_shadow for Apache HTTP Server require group Authentication Bypass

Info

Disclosure

Oct 05, 2005

Discovery

Aug 05, 2005

Dates

Exploit

Aug 05, 2005

Solution

Unknown

Description

The Apache mod_auth_shadow module contains a flaw that may allow a remote attacker to bypass authentication. The issue is triggered when mod_auth_shadow turns itself on and cannot be turned off whenever "require group" is used. This makes it impossible to use any other authentication modules with "require group". This flaw may lead to a loss of integrity.

Classification

Location: Remote / Network Access
Attack Type: Authentication Management
Impact: Loss of Integrity
Exploit: Exploit Public
Disclosure: OSVDB Verified, Vendor Verified
OSVDB: Web Related

Solution

Upgrade to version 1.5 or higher or to version 2.1 or higher, as it has been reported to fix this vulnerability. In addition, Debian has released a patch for some older versions of mod_auth_shadow.

Products

Brian Duggan	mod_auth_shadow	1.0
		1.1
		1.2
		1.3
		1.4
		2.0

References

Bugtraq ID: 15224
Secunia Advisory ID: 17060 17067 17348
CVE ID: 2005-2963 (see also: NVD)
ISS X-Force ID: 22520
Mail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2005-10/0095.html
Vendor Specific News/Changelog Entry: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=323789
Other Advisory URL: http://frontal1.mandriva.com/security/advisories?name=MDKSA-2005:200
http://www.debian.org/security/2005/dsa-844
Vendor URL: http://mod-auth-shadow.sourceforge.net/
Vendor Specific Solution URL: http://sourceforge.net/project/showfiles.php?group_id=11283

Credit

David Herselman - sics-supportsyrex.co.za - Syrex Intranets

Direct URL: http://osvdb.org/19863

Info

Disclosure

Discovery

Dates

Exploit

Solution

Description

Classification

Solution

Products

Brian Duggan

mod_auth_shadow

References

Credit