Debian Bug report logs - #394454
uses HTTP_X_FORWARDED_FOR for authentication (and other security holes)

version graph

Package: chetcpasswd; Maintainer for chetcpasswd is (unknown);

Reported by: Bas Zoetekouw <bas@debian.org>

Date: Sat, 21 Oct 2006 11:33:02 UTC

Severity: critical

Tags: security

Found in version chetcpasswd/2.3.3-1

Done: Moritz Muehlenhoff <jmm@inutil.org>

Bug is archived. No further changes may be made.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Joao Eriberto Mota Filho <eriberto@eriberto.pro.br>:
Bug#394454; Package chetcpasswd. (full text, mbox, link).


Acknowledgement sent to Bas Zoetekouw <bas@debian.org>:
New Bug report received and forwarded. Copy sent to Joao Eriberto Mota Filho <eriberto@eriberto.pro.br>. (full text, mbox, link).


Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Bas Zoetekouw <bas@debian.org>
To: submit@bugs.debian.org
Subject: uses HTTP_X_FORWARDED_FOR for authentication (and other security holes)
Date: Sat, 21 Oct 2006 13:16:41 +0200
Subject: uses HTTP_X_FORWARDED_FOR for authentication (and other security holes)
Package: chetcpasswd
Version: 2.3.3-1
Severity: critical
Tags: security

chetpasswd uses the HTTP_X_FORWARDED_FOR for authentication purposes:

   if(getenv("HTTP_X_FORWARDED_FOR"))
      sprintf(IP,"%s",getenv("HTTP_X_FORWARDED_FOR"));
    else sprintf(IP,"%s",getenv("REMOTE_ADDR"));

and then goes on to check IP against
/etc/chetcpasswd/chetcpasswd.allow.  

Obviously, HTTP_X_FORWARDED_FOR is not a trusted variable, and can be
spoofed by any scriptkiddie who can read the man page of wget.  Simply
spoofing it to 127.0.0.1 will give access to the password changing app
from any remote host.  

Furthermore, this cgi script doesn't seem to implement any rate
limiting for the passwd checks, thereby  allowing for a dictionary
attack via http.  Also, it seems to give different a error message if
the user is not found then if the entered password is wrong, thereby
exposing the names of user accounts to external attackers.

There are also issues with the package not using pam, and its
circumventing of any checks the admin might have in place.

I really think this package needs a security audit.

-- System Information:
Debian Release: testing/unstable
  APT prefers unstable
  APT policy: (500, 'unstable'), (200, 'experimental')
Architecture: amd64 (x86_64)
Shell:  /bin/sh linked to /bin/dash
Kernel: Linux 2.6.17.8
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)



Information forwarded to debian-bugs-dist@lists.debian.org, Joao Eriberto Mota Filho <eriberto@eriberto.pro.br>:
Bug#394454; Package chetcpasswd. (full text, mbox, link).


Acknowledgement sent to Eriberto <eriberto@eriberto.pro.br>:
Extra info received and forwarded to list. Copy sent to Joao Eriberto Mota Filho <eriberto@eriberto.pro.br>. (full text, mbox, link).


Message #10 received at 394454@bugs.debian.org (full text, mbox, reply):

From: Eriberto <eriberto@eriberto.pro.br>
To: "Bas Zoetekouw" <bas@debian.org>, 394454@bugs.debian.org
Subject: Re: Bug#394454: uses HTTP_X_FORWARDED_FOR for authentication (and other security holes)
Date: Mon, 13 Nov 2006 16:40:34 -0200
The upstream author is not willing to cooperate on fixing the reported
bugs and considers Debian to be "too demanding". Still, the upstream
disrespected the Debian Project (used swear-word). I'm not willing to
fork his work nor maintain an ever growing patch to fix chetcpasswd
security flaws.

Regards,

Eriberto - Brazil

2006/10/21, Bas Zoetekouw <bas@debian.org>:
> Subject: uses HTTP_X_FORWARDED_FOR for authentication (and other security holes)
> Package: chetcpasswd
> Version: 2.3.3-1
> Severity: critical
> Tags: security



Information forwarded to debian-bugs-dist@lists.debian.org, Joao Eriberto Mota Filho <eriberto@eriberto.pro.br>:
Bug#394454; Package chetcpasswd. (full text, mbox, link).


Acknowledgement sent to Stefan Fritsch <sf@sfritsch.de>:
Extra info received and forwarded to list. Copy sent to Joao Eriberto Mota Filho <eriberto@eriberto.pro.br>. (full text, mbox, link).


Message #15 received at 394454@bugs.debian.org (full text, mbox, reply):

From: Stefan Fritsch <sf@sfritsch.de>
To: 394454@bugs.debian.org
Subject: CVE-2006-6639: more security issues in chetcpasswd
Date: Thu, 21 Dec 2006 20:09:27 +0100
[Message part 1 (text/plain, inline)]
According to http://secunia.com/advisories/23024, there are more 
security issues in chectpasswd.

It should be removed from Debian if no fix is expected.

Cheers,
Stefan
[Message part 2 (application/pgp-signature, inline)]

Reply sent to Moritz Muehlenhoff <jmm@inutil.org>:
You have taken responsibility. (full text, mbox, link).


Notification sent to Bas Zoetekouw <bas@debian.org>:
Bug acknowledged by developer. (full text, mbox, link).


Message #20 received at 394454-done@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: 394454-done@bugs.debian.org, 394453-done@bugs.debian.org
Subject: Has been removed
Date: Mon, 25 Dec 2006 18:26:19 +0100
chetcpasswd has been removed from the archive; closing the open bugs.



Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 18 Jun 2007 08:50:48 GMT) (full text, mbox, link).


Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 20:08:48 2025; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.