Report forwarded to debian-bugs-dist@lists.debian.org, Joao Eriberto Mota Filho <eriberto@eriberto.pro.br>: Bug#394454; Package chetcpasswd.
(full text, mbox, link).
Acknowledgement sent to Bas Zoetekouw <bas@debian.org>:
New Bug report received and forwarded. Copy sent to Joao Eriberto Mota Filho <eriberto@eriberto.pro.br>.
(full text, mbox, link).
Subject: uses HTTP_X_FORWARDED_FOR for authentication (and other security holes)
Date: Sat, 21 Oct 2006 13:16:41 +0200
Subject: uses HTTP_X_FORWARDED_FOR for authentication (and other security holes)
Package: chetcpasswd
Version: 2.3.3-1
Severity: critical
Tags: security
chetpasswd uses the HTTP_X_FORWARDED_FOR for authentication purposes:
if(getenv("HTTP_X_FORWARDED_FOR"))
sprintf(IP,"%s",getenv("HTTP_X_FORWARDED_FOR"));
else sprintf(IP,"%s",getenv("REMOTE_ADDR"));
and then goes on to check IP against
/etc/chetcpasswd/chetcpasswd.allow.
Obviously, HTTP_X_FORWARDED_FOR is not a trusted variable, and can be
spoofed by any scriptkiddie who can read the man page of wget. Simply
spoofing it to 127.0.0.1 will give access to the password changing app
from any remote host.
Furthermore, this cgi script doesn't seem to implement any rate
limiting for the passwd checks, thereby allowing for a dictionary
attack via http. Also, it seems to give different a error message if
the user is not found then if the entered password is wrong, thereby
exposing the names of user accounts to external attackers.
There are also issues with the package not using pam, and its
circumventing of any checks the admin might have in place.
I really think this package needs a security audit.
-- System Information:
Debian Release: testing/unstable
APT prefers unstable
APT policy: (500, 'unstable'), (200, 'experimental')
Architecture: amd64 (x86_64)
Shell: /bin/sh linked to /bin/dash
Kernel: Linux 2.6.17.8
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Information forwarded to debian-bugs-dist@lists.debian.org, Joao Eriberto Mota Filho <eriberto@eriberto.pro.br>: Bug#394454; Package chetcpasswd.
(full text, mbox, link).
Acknowledgement sent to Eriberto <eriberto@eriberto.pro.br>:
Extra info received and forwarded to list. Copy sent to Joao Eriberto Mota Filho <eriberto@eriberto.pro.br>.
(full text, mbox, link).
To: "Bas Zoetekouw" <bas@debian.org>, 394454@bugs.debian.org
Subject: Re: Bug#394454: uses HTTP_X_FORWARDED_FOR for authentication (and other security holes)
Date: Mon, 13 Nov 2006 16:40:34 -0200
The upstream author is not willing to cooperate on fixing the reported
bugs and considers Debian to be "too demanding". Still, the upstream
disrespected the Debian Project (used swear-word). I'm not willing to
fork his work nor maintain an ever growing patch to fix chetcpasswd
security flaws.
Regards,
Eriberto - Brazil
2006/10/21, Bas Zoetekouw <bas@debian.org>:
> Subject: uses HTTP_X_FORWARDED_FOR for authentication (and other security holes)
> Package: chetcpasswd
> Version: 2.3.3-1
> Severity: critical
> Tags: security
Information forwarded to debian-bugs-dist@lists.debian.org, Joao Eriberto Mota Filho <eriberto@eriberto.pro.br>: Bug#394454; Package chetcpasswd.
(full text, mbox, link).
Acknowledgement sent to Stefan Fritsch <sf@sfritsch.de>:
Extra info received and forwarded to list. Copy sent to Joao Eriberto Mota Filho <eriberto@eriberto.pro.br>.
(full text, mbox, link).
According to http://secunia.com/advisories/23024, there are more
security issues in chectpasswd.
It should be removed from Debian if no fix is expected.
Cheers,
Stefan
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.