The Apache Haus Forum

Forum Topics => Apache 2.4 => Topic started by: casi91 on December 13, 2012, 03:14:36 PM

Title: security problem, auth_form and authn_dbd
Post by: casi91 on December 13, 2012, 03:14:36 PM
Hi there,

I try to configure a Login with the Apache Server.
I would like to use my own Login-Page, so i use "mod_auth_form".
I also want to check the user over my DB.
So i use "mod_auth_dbd" and "mod_authz_dbd"

The login and the logout works fine. But I've got a security Problem.
When I'm logged in and watch my Browser cookies, I see the username and the password without any crypt.
for example:
Quote
MyServer-user=testusr&MyServer-pw=testpwd

How can I made my Login more safely?

My System Informations:
- Apache 2.4.3
- PHP 5.4.9
- Windows Server 2008 R2

Here is my current Configuration:
Code: [Select]
<Location /login>
   SetHandler form-login-handler
   AuthFormLoginRequiredLocation /index.php
   AuthFormLoginSuccessLocation /xxx/login.php

   # core authentication and mod_auth_basic configuration
   # for mod_authn_dbd   

   AuthType form
   AuthName "SVR"
   AuthFormProvider dbd
   Session On
   #SessionCryptoPassphrase secret
   SessionCookieName session path=/   

     # don't require user to already be logged in!
       AuthDBDUserPWQuery "SELECT pwd FROM tbl WHERE usr = %s"

       # dbd-login action executes a statement to log user in
       Require dbd-login
       AuthzDBDQuery "UPDATE tbl SET login = 'true' WHERE usr = %s"

       # return user to referring page (if any) after
      # successful login
       AuthzDBDLoginToReferer On
</Location>


<Directory "xxx/xxx">
   # core authentication and mod_auth_basic configuration
   # for mod_authn_dbd
   AuthType form
   AuthName "SVR"
   AuthFormProvider dbd
   AuthFormLoginRequiredLocation /index.php
   Session On
   #SessionCryptoPassphrase secret   
   SessionCookieName session path=/

   # core authorization configuration
   Require valid-user

   # mod_authn_dbd SQL query to authenticate a user
   AuthDBDUserPWQuery "SELECT pwd FROM tbl WHERE usr = %s AND login = 'true'"
     
   ErrorDocument 401 /loginfail.php

   <Files login.php>
        # don't require user to already be logged in!
          AuthDBDUserPWQuery "SELECT pwd FROM tbl WHERE usr = %s"

          # dbd-login action executes a statement to log user in
          Require dbd-login
          AuthzDBDQuery "UPDATE tbl SET login = 'true' WHERE usr = %s"

          # return user to referring page (if any) after
         # successful login
          #AuthzDBDLoginToReferer On
   </Files>
</Directory>

I also tried
Code: [Select]
Session On   
SessionCookieName session path=/
SessionCryptoPassphrase secret
instead of
Code: [Select]
   
Session On   
SessionCookieName session path=/
But then, after I press my Loginbutton, I get a Error in the Browser:
Quote
The connection to the server was reset while the page was loading.
And in the Adressrow I see, that the position is
Quote
myserver/login


I hope you understand my problem and my english is not that bad.
Title: Re: security problem, auth_form and authn_dbd
Post by: casi91 on December 13, 2012, 04:19:30 PM
Hi there

I delete my error-log and rebuild my problem. And now I found this line:
Quote
[mpm_winnt:notice] [pid 3552:tid 420] AH00428: Parent: child process exited with status 255 -- Restarting.

So, that says, that the Server actually is restarting.
But how can i figure out why this happens?
Title: Re: security problem, auth_form and authn_dbd
Post by: Gregg on December 13, 2012, 06:55:49 PM
SessionCrypto* requires mod_session_crypto
http://httpd.apache.org/docs/2.4/mod/mod_session_crypto.html

As for why is Apache restarting, you might find your answer in the Windows Event Log. Typically something crashes the child process and the parent restarts them.
Title: Re: security problem, auth_form and authn_dbd
Post by: casi91 on December 14, 2012, 07:04:24 AM
Thanks for this hint.
Shame on me, that i didn't saw in the Windows-Eventlog

So, I got new Informations.
The Windows-Eventlog says, that die faulting Application is "httpd.exe"
and the faultig Module is "libaprutil-1.dll"

More (important) Informations are not available.
Any Ideas?
Title: Re: security problem, auth_form and authn_dbd
Post by: Gregg on December 14, 2012, 08:11:48 AM
Typically a faulty 3rd party module. Not so typical is the way APR Util interacts with the system. Some systems do funny things.

Did this start happening after loading mod_session_crypto and not before?
If so, where did you get your Apache and is it VC10 or VC9 build?

Title: Re: security problem, auth_form and authn_dbd
Post by: casi91 on December 14, 2012, 09:43:48 AM
The problem happens after I write this row:
Code: [Select]
SessionCryptoPassphrase secret
The mod_session_crypto modul does not fire the problem.
The module is always loaded in my httpd.conf

I got my Version from apachelounge
http://www.apachelounge.com/download/win64/ (http://www.apachelounge.com/download/win64/)
(I hope i'm allowed to post this link. If not please tell me or remove the link)

and it is the VC10 build
Title: Re: security problem, auth_form and authn_dbd
Post by: Gregg on December 15, 2012, 11:28:02 PM
Yes, it's ok to post URL to Apache Lounge.

I do not have an answer or any more questions for you just at the moment. I am going to have to first learn how to use the auth_form stuff then play around with it a little. I wouldn't believe our binaries would work better than his in this situation but I will not know till I have time to test this on ours.



Title: Re: security problem, auth_form and authn_dbd
Post by: Gregg on December 16, 2012, 09:46:49 AM
Well that was fun .... not!

It works for me. I did not set up a big php login with mysql database however. I just used a quick and dirty .htaccess file.

Your problem may be when connecting to your database, I'd say set up some other area with just AuthFormProvider file and an .htpasswd file and try it there. See if session crypto is working then. If not, problem must be with the Apache Lounge's binaries.

Anyhow, session crypto works for me. I'm not very good with php or mysql so I am not the person to debug that part. Try using session crypto with .htpasswd first, if that works, you might take your problem to the Apache User Support and Discussion mailing list (http://httpd.apache.org/lists.html#http-users) (not any of the others) with this since I see there is no answers to your post over at Apache Lounge. There's a lot of smart people on that users mailing list.

One thing I ran into is using SSI in the login form, if I did that, nothing at all worked. That is a bug that should be fixed in 2.4.4, and I'm going to add the last needed vote to get it into 2.4.4 now.

Oddly, when you first get in the session cookie will show as (none), reload the page and it will show up.

Edit: Removed dead link
Title: Re: security problem, auth_form and authn_dbd
Post by: Gregg on December 16, 2012, 10:14:34 AM
vote, promote
http://svn.apache.org/viewvc?view=revision&revision=1422489

Edit: Backported to what will be 2.4.4
http://svn.apache.org/viewvc?view=revision&revision=1422570
Title: Re: security problem, auth_form and authn_dbd
Post by: casi91 on December 17, 2012, 08:19:40 AM
Hi, thanks for your answer.

I will try it without my DB and tell you if it works or not.
If it doesnt work, i will try your binaries.

So, let's start  :)
Title: Re: security problem, auth_form and authn_dbd
Post by: casi91 on December 17, 2012, 09:03:41 AM
so...
i will try out your binaries. Maybe it helps.
I copied your config and i only changed the path.
But the Server seems to turning arround.
Here is the errorlog: (till 08:55:47 everythings fine, but thats only the log for the server start)
And after then, the Server is restarting 2 Times. :-(

Quote
The testweb service is restarting.
Starting the testweb service
The testweb service is running.
] [auth_digest:notice] [pid 1496:tid 388] AH01757: generating secret for digest authentication ...
[Mon Dec 17 08:55:45.001811 2012] [mpm_winnt:notice] [pid 1496:tid 388] AH00455: Apache/2.4.3 (Win64) configured -- resuming normal operations
[Mon Dec 17 08:55:45.001811 2012] [mpm_winnt:notice] [pid 1496:tid 388] AH00456: Server built: Aug 18 2012 14:13:48
[Mon Dec 17 08:55:45.001811 2012] [core:notice] [pid 1496:tid 388] AH00094: Command line: 'xxxx\\xxxx\\xxxx\\bin\\httpd.exe -d xxxx/xxxx/Apache24'
[Mon Dec 17 08:55:45.001811 2012] [mpm_winnt:notice] [pid 1496:tid 388] AH00418: Parent: Created child process 2716
[Mon Dec 17 08:55:46.017221 2012] [auth_digest:notice] [pid 2716:tid 324] AH01757: generating secret for digest authentication ...
[Mon Dec 17 08:55:47.626256 2012] [mpm_winnt:notice] [pid 2716:tid 324] AH00354: Child: Starting 64 worker threads.
[Mon Dec 17 08:56:13.183724 2012] [mpm_winnt:notice] [pid 1496:tid 388] AH00428: Parent: child process exited with status 255 -- Restarting.
[Mon Dec 17 08:56:13.261832 2012] [auth_digest:notice] [pid 1496:tid 388] AH01757: generating secret for digest authentication ...
[Mon Dec 17 08:56:14.011669 2012] [mpm_winnt:notice] [pid 1496:tid 388] AH00455: Apache/2.4.3 (Win64) configured -- resuming normal operations
[Mon Dec 17 08:56:14.011669 2012] [mpm_winnt:notice] [pid 1496:tid 388] AH00456: Server built: Aug 18 2012 14:13:48
[Mon Dec 17 08:56:14.011669 2012] [core:notice] [pid 1496:tid 388] AH00094: Command line: 'xxxx\\xxxx\\xxxx\\bin\\httpd.exe -d xxxx/xxxx/xxxx'
[Mon Dec 17 08:56:14.011669 2012] [mpm_winnt:notice] [pid 1496:tid 388] AH00418: Parent: Created child process 3992
[Mon Dec 17 08:56:15.027073 2012] [auth_digest:notice] [pid 3992:tid 324] AH01757: generating secret for digest authentication ...
[Mon Dec 17 08:56:17.104746 2012] [mpm_winnt:notice] [pid 3992:tid 324] AH00354: Child: Starting 64 worker threads.
[Mon Dec 17 08:56:17.229719 2012] [mpm_winnt:notice] [pid 1496:tid 388] AH00428: Parent: child process exited with status 255 -- Restarting.
[Mon Dec 17 08:56:17.323448 2012] [auth_digest:notice] [pid 1496:tid 388] AH01757: generating secret for digest authentication ...
[Mon Dec 17 08:56:18.010799 2012] [mpm_winnt:notice] [pid 1496:tid 388] AH00455: Apache/2.4.3 (Win64) configured -- resuming normal operations
[Mon Dec 17 08:56:18.010799 2012] [mpm_winnt:notice] [pid 1496:tid 388] AH00456: Server built: Aug 18 2012 14:13:48
[Mon Dec 17 08:56:18.010799 2012] [core:notice] [pid 1496:tid 388] AH00094: Command line: 'xxxx\\xxxx\\xxxx\\bin\\httpd.exe -d xxxxx/xxxxx/xxxxx'
[Mon Dec 17 08:56:18.010799 2012] [mpm_winnt:notice] [pid 1496:tid 388] AH00418: Parent: Created child process 1572
Title: Re: security problem, auth_form and authn_dbd
Post by: casi91 on December 17, 2012, 09:55:25 AM
It's me again.

I downloaded your binaries: http://www.apachehaus.com/cgi-bin/download.plx (http://www.apachehaus.com/cgi-bin/download.plx)
(I downloaded the x64 binaries)

but now, when I try to install/start the new apache instance, the Server crashes directly.
Quote
Problemsignatur:
  Problemereignisname:   APPCRASH
  Anwendungsname:   httpd.exe
  Anwendungsversion:   2.4.3.0
  Anwendungszeitstempel:   502fde1c
  Fehlermodulname:   MSVCR90.dll
  Fehlermodulversion:   9.0.21022.8
  Fehlermodulzeitstempel:   47313e07
  Ausnahmecode:   c0000005
  Ausnahmeoffset:   000000000001801e
  Betriebsystemversion:   6.1.7601.2.1.0.274.10
  Gebietsschema-ID:   1031
  Zusatzinformation 1:   2870
  Zusatzinformation 2:   2870d298bb95cdaf4fa3d5ad2f2c90ce
  Zusatzinformation 3:   25ea
  Zusatzinformation 4:   25ea0f9b65c97060ce0b97e3bcf0a810

Lesen Sie unsere Datenschutzbestimmungen online:
  http://go.microsoft.com/fwlink/?linkid=104288&clcid=0x0407

Wenn die Onlinedatenschutzbestimmungen nicht verf?gbar sind, lesen Sie unsere Datenschutzbestimmungen offline:
  C:\Windows\system32\de-DE\erofflps.txt
Title: Re: security problem, auth_form and authn_dbd
Post by: casi91 on December 17, 2012, 11:16:42 AM
I've tried to install the Apache x86 on my Local PC, and what should I say...it works. (tested without DB)
So the problem only exists on the Windows 2008 R2 Server with the x64 binaries.
:-(
Title: Re: security problem, auth_form and authn_dbd
Post by: casi91 on December 17, 2012, 11:37:53 AM
And it's me again.
Sorry for the spam.

I downloaded the x64 binaries again and install the apache in the root instead of a new folder and now the testlogin (without db but with crypto) works.
puh...a lot of work for such a small win.

Now I'll try again to install it in the folder I created for.
And if it works, I'll go step by step to the final configuration.
I'll write my results soon :-)

And again, thanks for support
Title: Re: security problem, auth_form and authn_dbd
Post by: Gregg on December 17, 2012, 12:06:11 PM
Well, I'm glad you are getting there, so your experiences with this are not spam, just verbose experimentation :D
Title: Re: security problem, auth_form and authn_dbd
Post by: casi91 on December 17, 2012, 05:13:38 PM
So,
after a long day and a lot of apache configuration, i finally have the Basic-config i want :-)
There are my: login with mod_auth_digest and mod_auth_form and last but not least with mod_auth_dbd and a odbc connection to my database.

Also i've got the connection only over ssl

Today was a good day :-)

Again thanks for your help.
Title: Re: security problem, auth_form and authn_dbd
Post by: mario on December 17, 2012, 05:50:42 PM
it would be great, if you could post the working config
Title: Re: security problem, auth_form and authn_dbd
Post by: casi91 on December 18, 2012, 08:19:18 AM
Oh, of course.
But at first I have to hurry up and finish my Project.
Because in a few days I'm going to get holidays  ;)

But when I have enough time this week, I'll post a small config with all necessary code
Title: Re: security problem, auth_form and authn_dbd
Post by: casi91 on December 18, 2012, 04:57:32 PM
So,
i hope i didn't forget anything.
Here is the necessary config:
Code: [Select]
LoadModule auth_digest_module modules/mod_auth_digest.so
LoadModule auth_form_module modules/mod_auth_form.so
LoadModule authn_core_module modules/mod_authn_core.so
LoadModule authn_dbd_module modules/mod_authn_dbd.so
LoadModule authz_core_module modules/mod_authz_core.so
LoadModule authz_dbd_module modules/mod_authz_dbd.so
LoadModule session_module modules/mod_session.so
LoadModule session_cookie_module modules/mod_session_cookie.so
LoadModule session_crypto_module modules/mod_session_crypto.so
LoadModule session_dbd_module modules/mod_session_dbd.so

DBDriver odbc
DBDParams "DATASOURCE=DSN, USER=usr, PASSWORD=pwd"

DBDMin  6
DBDKeep 7
DBDMax  10
DBDExptime 400


<Location /logout>
SetHandler form-logout-handler
Order allow,deny
allow from all
AuthFormLogoutLocation /logout.php

# core authentication and mod_auth_basic configuration
# for mod_authn_dbd

AuthType form
AuthName "AuthName"
AuthFormProvider dbd
Session On
SessionCryptoPassphrase secret
SessionCookieName session path=/

AuthDBDUserPWQuery "SELECT pw FROM database.table WHERE user = %s

    # dbd-logout action executes a statement to log user out
    Require dbd-logout
    AuthzDBDQuery "UPDATE database.table SET login = 'false' WHERE user = %s"
</Location>

<Location /login>
SetHandler form-login-handler
AuthFormLoginRequiredLocation /loginfail.php
AuthFormLoginSuccessLocation /login.php

# core authentication and mod_auth_basic configuration
# for mod_authn_dbd
AuthFormProvider dbd
AuthType form
AuthName "AuthName"

Session On
SessionCryptoPassphrase secret
SessionCookieName session path=/

  # don't require user to already be logged in!
    AuthDBDUserPWQuery "SELECT pw FROM database.table WHERE user = %s

    # dbd-login action executes a statement to log user in
    Require dbd-login
    AuthzDBDQuery "UPDATE database.table SET login = 'true' WHERE user = %s"

    # return user to referring page (if any) after
    # successful login
    AuthzDBDLoginToReferer On
</Location>

<Directory "myDirectory">
Session On
SessionCryptoPassphrase secret
SessionCookieName session path=/

# core authentication and mod_auth_basic configuration
# for mod_authn_dbd
AuthType form
AuthName "AuthName"
AuthFormProvider dbd

# core authorization configuration
Require valid-user

# mod_authn_dbd SQL query to authenticate a user
AuthDBDUserPWQuery "SELECT pw FROM database.table WHERE user = %s and login = 'true'

ErrorDocument 401 /index.php

<Files login.php>
  # don't require user to already be logged in!
    AuthDBDUserPWQuery "SELECT pw FROM database.table WHERE user = %s

    # dbd-login action executes a statement to log user in
    Require dbd-login
    AuthzDBDQuery "UPDATE database.table SET login = 'true' WHERE user = %s"
</Files>
</Directory>
Title: Re: security problem, auth_form and authn_dbd
Post by: Gregg on December 19, 2012, 10:44:03 PM
Thanks for coming back with that and Happy Holidays
Title: Re: security problem, auth_form and authn_dbd
Post by: NYOKUS on January 16, 2013, 11:59:53 AM
Hello,

I'd like to notice that I have also the same issue with the x64 binaries.
After having created the Apache Windows service, I'm not able to start it:

"
Faulting application name: httpd.exe, version: 2.4.3.0, time stamp: 0x502fde1c
Faulting module name: MSVCR90.dll, version: 9.0.30729.6161, time stamp: 0x4dace4e7
Exception code: 0xc0000005
Fault offset: 0x000000000001833e
Faulting process id: 0x1a48
Faulting application start time: 0x01cdf3c4b3f36e4a
Faulting application path: C:\E\Installed_programs\apache\httpd\bin\httpd.exe
Faulting module path: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_08e61857a83bc251\MSVCR90.dll
Report Id: f4bfd3e3-5fb7-11e2-96dd-0050568b3be3



Fault bucket , type 0
Event Name: APPCRASH
Response: Not available
Cab Id: 0

Problem signature:
P1: httpd.exe
P2: 2.4.3.0
P3: 502fde1c
P4: MSVCR90.dll
P5: 9.0.30729.6161
P6: 4dace4e7
P7: c0000005
P8: 000000000001833e
P9:
P10:

Attached files:

These files may be available here:
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_httpd.exe_e69d22e5adfa4138ebec8d4537d688ce9572caf_10093561

Analysis symbol:
Rechecking for solution: 0
Report Id: f4bfd3e3-5fb7-11e2-96dd-0050568b3be3
Report Status: 4
"
Could someone help me to solve this issue?

thanks in advance

Regards

Title: Re: security problem, auth_form and authn_dbd
Post by: Gregg on January 18, 2013, 07:36:42 PM
Cannot reproduce but I'm not using dbd auth, just simple file.

Casi91 had to revert to x86 binaries to solve the problem.
Title: Re: security problem, auth_form and authn_dbd
Post by: Gregg on January 23, 2013, 11:14:11 AM
I'm wondering if both these are due to mod_session_dbd, at least the crash one and showing up mainly in x64.
https://issues.apache.org/bugzilla/show_bug.cgi?id=53452

This bug should be fixed in 2.4.4