mod_auth_shadow Apache Module Authenticates Expired Passwords
|
|
SecurityTracker Alert ID: 1008675
|
|
SecurityTracker URL: http://securitytracker.com/id?1008675
|
|
CVE Reference: CVE-2004-0041
(Links to External Site)
|
Updated: Jul 6 2008
|
Original Entry Date: Jan 12 2004
|
Impact: Host/resource access via network
|
Fix Available: Yes
Exploit Included: Yes
Vendor Confirmed: Yes
|
Version(s): prior to 1.4
|
Description: A vulnerability was reported in the mod_auth_shadow Apache module. A remote user with previously valid authentication credentials but with an expired password can successfully authenticate.
It is reported that the software does not enforce a user's password expiration status. A remote authenticated user with a previously
valid password may be able to authenticate successfully even though the password has expired.
Debian reported that David B Harris
discovered this flaw.
|
Impact: A remote user can authenticate with a correct but expired password.
|
Solution: The vendor has released a fixed version (1.4), available at:
http://sourceforge.net/project/showfiles.php?group_id=11283&package_id=10508&release_id=208526
|
Vendor URL: sourceforge.net/projects/mod-auth-shadow (Links to External Site)
|
Cause: Authentication error, State error
|
Underlying OS: Linux (Any)
|
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Mon, 12 Jan 2004 15:24:26 -0500
Subject: mod_auth_shadow CVE: CAN-2004-0041
|
CVE: CAN-2004-0041
Debian reported that David B Harris discovered a flaw in the mod_auth_shadow Apache module.
It is reported that the software does not enforce a user's password expiration status. A
remote authenticated user with a previously valid password may be able to authenticate
successfully even though the password has expired.
The vendor has released a fixed version (1.4), available at:
http://sourceforge.net/project/showfiles.php?group_id=11283&package_id=10508&release_id=20852
6
|
|
