Re: CVE-2003-1418 - still affects apache 2 current

Thu, 01 Sep 2011 07:36:53 -0700 

On Thu, Sep 01, 2011 at 03:30:57PM +0100, Nick Kew wrote:
> On Thu, 1 Sep 2011 14:39:11 +0200
> Marcus Meissner <meiss...@suse.de> wrote:
> 
> > Hi,
> > 
> > CVE-2003-1418, a minor security issue, is still affecting the current 
> > codebase.
> > 
> > someone opened a tracker bug a year ago without feedback:
> > https://issues.apache.org/bugzilla/show_bug.cgi?id=49623
> 
> I've just hacked up a simple candidate patch.  Review?
> 
> (trunk patch - trivial offset when applied to 2.2.x)

This just md5s the inodenr, right?

If yes, this is just obfuscation if you do not add some kind of random salt.

(You can still just do
        for (i=0;i<...;i++) md5($i) 
and compare, including use of Rainbow Tables.)

Ciao, Marcus
 
> -- 
> Nick Kew

> Index: modules/http/http_etag.c
> ===================================================================
> --- modules/http/http_etag.c  (revision 1164053)
> +++ modules/http/http_etag.c  (working copy)
> @@ -26,6 +26,7 @@
>  #include "http_core.h"
>  #include "http_protocol.h"   /* For index_of_response().  Grump. */
>  #include "http_request.h"
> +#include "util_md5.h"
>  
>  /* Generate the human-readable hex representation of an apr_uint64_t
>   * (basically a faster version of 'sprintf("%llx")')
> @@ -50,6 +51,13 @@
>      *next++ = HEX_DIGITS[u & (apr_uint64_t)0xf];
>      return next;
>  }
> +static char *etag_uint64_to_md5(char *next, apr_uint64_t u, apr_pool_t *pool)
> +{
> +    char *digest = ap_md5_binary(pool, (unsigned char*)&u, sizeof(u));
> +    int len = strlen(digest);
> +    memcpy(next, digest, len);
> +    return next+len;
> +}
>  
>  #define ETAG_WEAK "W/"
>  #define CHARS_PER_UINT64 (sizeof(apr_uint64_t) * 2)
> @@ -114,7 +122,7 @@
>           * FileETag keywords.
>           */
>          etag = apr_palloc(r->pool, weak_len + sizeof("\"--\"") +
> -                          3 * CHARS_PER_UINT64 + 1);
> +                          2 * CHARS_PER_UINT64 + 2 * APR_MD5_DIGESTSIZE + 1);
>          next = etag;
>          if (weak) {
>              while (*weak) {
> @@ -124,7 +132,7 @@
>          *next++ = '"';
>          bits_added = 0;
>          if (etag_bits & ETAG_INODE) {
> -            next = etag_uint64_to_hex(next, r->finfo.inode);
> +            next = etag_uint64_to_md5(next, r->finfo.inode, r->pool);
>              bits_added |= ETAG_INODE;
>          }
>          if (etag_bits & ETAG_SIZE) {


-- 
Working, but not speaking, for the following german company:
SUSE LINUX Products GmbH, HRB 16746 (AG Nuernberg)
Geschaeftsfuehrer: Jeff Hawn, Jennifer Guild, Felix Imendoerffer

Reply via email to