Apache mod-auth-shadow "require group" directive bypass security

modauthshadow-require-group-bypass-security (22520) The risk level is classified as MediumMedium Risk

Description:

mod-auth-shadow is a module for the Apache HTTP Server that authenticates against the /etc/shadow file. Locations using the mod-auth-shadow module with the require group directive could bypass security restrictions used by other mechanisms.

Note: The 'AuthShadow on' statement is required for this vulnerability to exist.


Consequences:

Bypass Security

Remedy:

For Debian GNU/Linux 3.0 (woody):
Upgrade to the latest mod-auth-shadow package (1.3-3.1or later), as listed in DSA-844-1. See References.

For Debian GNU/Linux 3.1 (sarge):
Upgrade to the latest mod-auth-shadow package (1.4-1sarge1 or later), as listed in DSA-844-1. See References.

References:

  • Full-Disclosure Mailing List, Wed Oct 05 2005 - 04:23:52 CDT: New mod-auth-shadow packages fix authentication bypass.
  • BID-15224: Apache Mod_Auth_Shadow Authentication Bypass Vulnerability
  • CVE-2005-2963: The mod_auth_shadow module 1.0 through 1.5 and 2.0 for Apache with AuthShadow enabled uses shadow authentication for all locations that use the require group directive, even when other authentication mechanisms are specified, which might allow remote authenticated users to bypass security restrictions.
  • DSA-844: mod-auth-shadow -- programming error
  • OSVDB ID: 19863: mod_auth_shadow for Apache HTTP Server require group Authentication Bypass
  • SA17060: Apache mod_auth_shadow Module "require group" Incorrect Authentication

Platforms Affected:

  • Debian Debian Linux 3.0
  • Debian Debian Linux 3.1
  • mod-auth-shadow mod-auth-shadow

Reported:

Oct 05, 2005

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page