security problem, auth_form and authn_dbd

casi91 · December 13, 2012, 03:14:36 PM

Hi there,

I try to configure a Login with the Apache Server.
I would like to use my own Login-Page, so i use "mod_auth_form".
I also want to check the user over my DB.
So i use "mod_auth_dbd" and "mod_authz_dbd"

The login and the logout works fine. But I've got a security Problem.
When I'm logged in and watch my Browser cookies, I see the username and the password without any crypt.
for example:

QuoteMyServer-user=testusr&MyServer-pw=testpwd

How can I made my Login more safely?

My System Informations:
- Apache 2.4.3
- PHP 5.4.9
- Windows Server 2008 R2

Here is my current Configuration:

Code Select


<Location /login>
   SetHandler form-login-handler
   AuthFormLoginRequiredLocation /index.php
   AuthFormLoginSuccessLocation /xxx/login.php

   # core authentication and mod_auth_basic configuration
   # for mod_authn_dbd   

   AuthType form
   AuthName "SVR"
   AuthFormProvider dbd
   Session On
   #SessionCryptoPassphrase secret
   SessionCookieName session path=/    

     # don't require user to already be logged in!
       AuthDBDUserPWQuery "SELECT pwd FROM tbl WHERE usr = %s"

       # dbd-login action executes a statement to log user in
       Require dbd-login
       AuthzDBDQuery "UPDATE tbl SET login = 'true' WHERE usr = %s"

       # return user to referring page (if any) after
      # successful login
       AuthzDBDLoginToReferer On
</Location>


<Directory "xxx/xxx">
   # core authentication and mod_auth_basic configuration
   # for mod_authn_dbd
   AuthType form
   AuthName "SVR"
   AuthFormProvider dbd
   AuthFormLoginRequiredLocation /index.php
   Session On
   #SessionCryptoPassphrase secret   
   SessionCookieName session path=/

   # core authorization configuration
   Require valid-user

   # mod_authn_dbd SQL query to authenticate a user
   AuthDBDUserPWQuery "SELECT pwd FROM tbl WHERE usr = %s AND login = 'true'"
      
   ErrorDocument 401 /loginfail.php

   <Files login.php>
        # don't require user to already be logged in!
          AuthDBDUserPWQuery "SELECT pwd FROM tbl WHERE usr = %s"

          # dbd-login action executes a statement to log user in
          Require dbd-login
          AuthzDBDQuery "UPDATE tbl SET login = 'true' WHERE usr = %s"

          # return user to referring page (if any) after
         # successful login
          #AuthzDBDLoginToReferer On
   </Files>
</Directory>

I also tried

Code Select


Session On   
SessionCookieName session path=/
SessionCryptoPassphrase secret

instead of

Code Select

   
Session On   
SessionCookieName session path=/

But then, after I press my Loginbutton, I get a Error in the Browser:

QuoteThe connection to the server was reset while the page was loading.

And in the Adressrow I see, that the position is

Quotemyserver/login

I hope you understand my problem and my english is not that bad.

casi91 · December 13, 2012, 04:19:30 PM

Hi there

I delete my error-log and rebuild my problem. And now I found this line:

Quote[mpm_winnt:notice] [pid 3552:tid 420] AH00428: Parent: child process exited with status 255 -- Restarting.

So, that says, that the Server actually is restarting.
But how can i figure out why this happens?

Gregg · December 13, 2012, 06:55:49 PM

SessionCrypto* requires mod_session_crypto
http://httpd.apache.org/docs/2.4/mod/mod_session_crypto.html

As for why is Apache restarting, you might find your answer in the Windows Event Log. Typically something crashes the child process and the parent restarts them.

casi91 · December 14, 2012, 07:04:24 AM

Thanks for this hint.
Shame on me, that i didn't saw in the Windows-Eventlog

So, I got new Informations.
The Windows-Eventlog says, that die faulting Application is "httpd.exe"
and the faultig Module is "libaprutil-1.dll"

More (important) Informations are not available.
Any Ideas?

Gregg · December 14, 2012, 08:11:48 AM

Typically a faulty 3rd party module. Not so typical is the way APR Util interacts with the system. Some systems do funny things.

Did this start happening after loading mod_session_crypto and not before?
If so, where did you get your Apache and is it VC10 or VC9 build?

casi91 · December 14, 2012, 09:43:48 AM

The problem happens after I write this row:

Code Select

SessionCryptoPassphrase secret

The mod_session_crypto modul does not fire the problem.
The module is always loaded in my httpd.conf

I got my Version from apachelounge
http://www.apachelounge.com/download/win64/
(I hope i'm allowed to post this link. If not please tell me or remove the link)

and it is the VC10 build

Gregg · December 15, 2012, 11:28:02 PM

Yes, it's ok to post URL to Apache Lounge.

I do not have an answer or any more questions for you just at the moment. I am going to have to first learn how to use the auth_form stuff then play around with it a little. I wouldn't believe our binaries would work better than his in this situation but I will not know till I have time to test this on ours.

Gregg · December 16, 2012, 09:46:49 AM

Well that was fun .... not!

It works for me. I did not set up a big php login with mysql database however. I just used a quick and dirty .htaccess file.

Your problem may be when connecting to your database, I'd say set up some other area with just AuthFormProvider file and an .htpasswd file and try it there. See if session crypto is working then. If not, problem must be with the Apache Lounge's binaries.

Anyhow, session crypto works for me. I'm not very good with php or mysql so I am not the person to debug that part. Try using session crypto with .htpasswd first, if that works, you might take your problem to the Apache User Support and Discussion mailing list (not any of the others) with this since I see there is no answers to your post over at Apache Lounge. There's a lot of smart people on that users mailing list.

One thing I ran into is using SSI in the login form, if I did that, nothing at all worked. That is a bug that should be fixed in 2.4.4, and I'm going to add the last needed vote to get it into 2.4.4 now.

Oddly, when you first get in the session cookie will show as (none), reload the page and it will show up.

Edit: Removed dead link

Gregg · December 16, 2012, 10:14:34 AM

vote, promote
http://svn.apache.org/viewvc?view=revision&revision=1422489

Edit: Backported to what will be 2.4.4
http://svn.apache.org/viewvc?view=revision&revision=1422570

casi91 · December 17, 2012, 08:19:40 AM

Hi, thanks for your answer.

I will try it without my DB and tell you if it works or not.
If it doesnt work, i will try your binaries.

So, let's start

casi91 · December 17, 2012, 09:03:41 AM

so...
i will try out your binaries. Maybe it helps.
I copied your config and i only changed the path.
But the Server seems to turning arround.
Here is the errorlog: (till 08:55:47 everythings fine, but thats only the log for the server start)
And after then, the Server is restarting 2 Times. :-(

Quote
The testweb service is restarting.
Starting the testweb service
The testweb service is running.
] [auth_digest:notice] [pid 1496:tid 388] AH01757: generating secret for digest authentication ...
[Mon Dec 17 08:55:45.001811 2012] [mpm_winnt:notice] [pid 1496:tid 388] AH00455: Apache/2.4.3 (Win64) configured -- resuming normal operations
[Mon Dec 17 08:55:45.001811 2012] [mpm_winnt:notice] [pid 1496:tid 388] AH00456: Server built: Aug 18 2012 14:13:48
[Mon Dec 17 08:55:45.001811 2012] [core:notice] [pid 1496:tid 388] AH00094: Command line: 'xxxx\\xxxx\\xxxx\\bin\\httpd.exe -d xxxx/xxxx/Apache24'
[Mon Dec 17 08:55:45.001811 2012] [mpm_winnt:notice] [pid 1496:tid 388] AH00418: Parent: Created child process 2716
[Mon Dec 17 08:55:46.017221 2012] [auth_digest:notice] [pid 2716:tid 324] AH01757: generating secret for digest authentication ...
[Mon Dec 17 08:55:47.626256 2012] [mpm_winnt:notice] [pid 2716:tid 324] AH00354: Child: Starting 64 worker threads.
[Mon Dec 17 08:56:13.183724 2012] [mpm_winnt:notice] [pid 1496:tid 388] AH00428: Parent: child process exited with status 255 -- Restarting.
[Mon Dec 17 08:56:13.261832 2012] [auth_digest:notice] [pid 1496:tid 388] AH01757: generating secret for digest authentication ...
[Mon Dec 17 08:56:14.011669 2012] [mpm_winnt:notice] [pid 1496:tid 388] AH00455: Apache/2.4.3 (Win64) configured -- resuming normal operations
[Mon Dec 17 08:56:14.011669 2012] [mpm_winnt:notice] [pid 1496:tid 388] AH00456: Server built: Aug 18 2012 14:13:48
[Mon Dec 17 08:56:14.011669 2012] [core:notice] [pid 1496:tid 388] AH00094: Command line: 'xxxx\\xxxx\\xxxx\\bin\\httpd.exe -d xxxx/xxxx/xxxx'
[Mon Dec 17 08:56:14.011669 2012] [mpm_winnt:notice] [pid 1496:tid 388] AH00418: Parent: Created child process 3992
[Mon Dec 17 08:56:15.027073 2012] [auth_digest:notice] [pid 3992:tid 324] AH01757: generating secret for digest authentication ...
[Mon Dec 17 08:56:17.104746 2012] [mpm_winnt:notice] [pid 3992:tid 324] AH00354: Child: Starting 64 worker threads.
[Mon Dec 17 08:56:17.229719 2012] [mpm_winnt:notice] [pid 1496:tid 388] AH00428: Parent: child process exited with status 255 -- Restarting.
[Mon Dec 17 08:56:17.323448 2012] [auth_digest:notice] [pid 1496:tid 388] AH01757: generating secret for digest authentication ...
[Mon Dec 17 08:56:18.010799 2012] [mpm_winnt:notice] [pid 1496:tid 388] AH00455: Apache/2.4.3 (Win64) configured -- resuming normal operations
[Mon Dec 17 08:56:18.010799 2012] [mpm_winnt:notice] [pid 1496:tid 388] AH00456: Server built: Aug 18 2012 14:13:48
[Mon Dec 17 08:56:18.010799 2012] [core:notice] [pid 1496:tid 388] AH00094: Command line: 'xxxx\\xxxx\\xxxx\\bin\\httpd.exe -d xxxxx/xxxxx/xxxxx'
[Mon Dec 17 08:56:18.010799 2012] [mpm_winnt:notice] [pid 1496:tid 388] AH00418: Parent: Created child process 1572

casi91 · December 17, 2012, 09:55:25 AM

It's me again.

I downloaded your binaries: http://www.apachehaus.com/cgi-bin/download.plx
(I downloaded the x64 binaries)

but now, when I try to install/start the new apache instance, the Server crashes directly.

QuoteProblemsignatur:
Problemereignisname:   APPCRASH
Anwendungsname:   httpd.exe
Anwendungsversion:   2.4.3.0
Anwendungszeitstempel:   502fde1c
Fehlermodulname:   MSVCR90.dll
Fehlermodulversion:   9.0.21022.8
Fehlermodulzeitstempel:   47313e07
Ausnahmecode:   c0000005
Ausnahmeoffset:   000000000001801e
Betriebsystemversion:   6.1.7601.2.1.0.274.10
Gebietsschema-ID:   1031
Zusatzinformation 1:   2870
Zusatzinformation 2:   2870d298bb95cdaf4fa3d5ad2f2c90ce
Zusatzinformation 3:   25ea
Zusatzinformation 4:   25ea0f9b65c97060ce0b97e3bcf0a810

Lesen Sie unsere Datenschutzbestimmungen online:
http://go.microsoft.com/fwlink/?linkid=104288&clcid=0x0407

Wenn die Onlinedatenschutzbestimmungen nicht verf?gbar sind, lesen Sie unsere Datenschutzbestimmungen offline:
C:\Windows\system32\de-DE\erofflps.txt

casi91 · December 17, 2012, 11:16:42 AM

I've tried to install the Apache x86 on my Local PC, and what should I say...it works. (tested without DB)
So the problem only exists on the Windows 2008 R2 Server with the x64 binaries.
:-(

casi91 · December 17, 2012, 11:37:53 AM

And it's me again.
Sorry for the spam.

I downloaded the x64 binaries again and install the apache in the root instead of a new folder and now the testlogin (without db but with crypto) works.
puh...a lot of work for such a small win.

Now I'll try again to install it in the folder I created for.
And if it works, I'll go step by step to the final configuration.
I'll write my results soon :-)

And again, thanks for support

Gregg · December 17, 2012, 12:06:11 PM

Well, I'm glad you are getting there, so your experiences with this are not spam, just verbose experimentation