Package: libapache-dbi-perl
Version: 1.04-0.1
Severity: critical
Tags: patch upstream
I think I found a little security bug in Apache::AuthDBI (given that
authentication credentials logging is considered a security bug).
The problem was introduced when the 'sub debug' method was added which
checks against '$Apache::AuthDBI::DEBUG' but does so inverse to the
logic suggested by the documentation (and other checks against this
variable in other places). The default ($Apache::AuthDBI::DEBUG = 0)
logs *everything* to the Apache's error_log, including passwords!
This patches fixes the check :)
The patch is generated for version 1.04, the bug stills seems to be
existent in 1.05 which is in CPAN (I'm also CC'ing the author).
This problem was not present in sarge, I haven't checked when it was
introduced, but this is (for Debian at least) a 'Must fix' for etch.
Regards,
justin....
--
Justin Ossevoort <[EMAIL PROTECTED]>
Quarantainenet <http://www.quarantaine.net/>
--- Apache/AuthDBI.pm.orig 2007-02-23 17:33:59.000000000 +0100
+++ Apache/AuthDBI.pm 2007-02-23 17:34:40.000000000 +0100
@@ -28,7 +28,7 @@
use Digest::MD5 ();
sub debug {
- print STDERR "$_[1]\n" if $_[0] >= $Apache::AuthDBI::DEBUG;
+ print STDERR "$_[1]\n" if $Apache::AuthDBI::DEBUG >= $_[0];
}
sub push_handlers {
