security problem, auth_form and authn_dbd

casi91 · December 17, 2012, 05:13:38 PM

So,
after a long day and a lot of apache configuration, i finally have the Basic-config i want :-)
There are my: login with mod_auth_digest and mod_auth_form and last but not least with mod_auth_dbd and a odbc connection to my database.

Also i've got the connection only over ssl

Today was a good day :-)

Again thanks for your help.

mario · December 17, 2012, 05:50:42 PM

it would be great, if you could post the working config

casi91 · December 18, 2012, 08:19:18 AM

Oh, of course.
But at first I have to hurry up and finish my Project.
Because in a few days I'm going to get holidays

But when I have enough time this week, I'll post a small config with all necessary code

casi91 · December 18, 2012, 04:57:32 PM

So,
i hope i didn't forget anything.
Here is the necessary config:

Code Select


LoadModule auth_digest_module modules/mod_auth_digest.so
LoadModule auth_form_module modules/mod_auth_form.so
LoadModule authn_core_module modules/mod_authn_core.so
LoadModule authn_dbd_module modules/mod_authn_dbd.so
LoadModule authz_core_module modules/mod_authz_core.so
LoadModule authz_dbd_module modules/mod_authz_dbd.so
LoadModule session_module modules/mod_session.so
LoadModule session_cookie_module modules/mod_session_cookie.so
LoadModule session_crypto_module modules/mod_session_crypto.so
LoadModule session_dbd_module modules/mod_session_dbd.so

DBDriver odbc
DBDParams "DATASOURCE=DSN, USER=usr, PASSWORD=pwd"

DBDMin  6
DBDKeep 7
DBDMax  10
DBDExptime 400


<Location /logout>
	SetHandler form-logout-handler
	Order allow,deny
	allow from all
	AuthFormLogoutLocation /logout.php

	# core authentication and mod_auth_basic configuration
	# for mod_authn_dbd	

	AuthType form
	AuthName "AuthName"
	AuthFormProvider dbd
	Session On 
	SessionCryptoPassphrase secret
	SessionCookieName session path=/ 

	AuthDBDUserPWQuery "SELECT pw FROM database.table WHERE user = %s

    	# dbd-logout action executes a statement to log user out
    	Require dbd-logout
    	AuthzDBDQuery "UPDATE database.table SET login = 'false' WHERE user = %s"
</Location>

<Location /login>
	SetHandler form-login-handler
	AuthFormLoginRequiredLocation /loginfail.php
	AuthFormLoginSuccessLocation /login.php

	# core authentication and mod_auth_basic configuration
	# for mod_authn_dbd	
	AuthFormProvider dbd
	AuthType form
	AuthName "AuthName"	

	Session On 
	SessionCryptoPassphrase secret
	SessionCookieName session path=/ 

  	# don't require user to already be logged in!
    	AuthDBDUserPWQuery "SELECT pw FROM database.table WHERE user = %s

    	# dbd-login action executes a statement to log user in
    	Require dbd-login
    	AuthzDBDQuery "UPDATE database.table SET login = 'true' WHERE user = %s"

    	# return user to referring page (if any) after
   	# successful login
    	AuthzDBDLoginToReferer On
</Location>

<Directory "myDirectory"> 
	Session On 
	SessionCryptoPassphrase secret	
	SessionCookieName session path=/ 

	# core authentication and mod_auth_basic configuration
	# for mod_authn_dbd
	AuthType form
	AuthName "AuthName"
	AuthFormProvider dbd

	# core authorization configuration
	Require valid-user

	# mod_authn_dbd SQL query to authenticate a user
	AuthDBDUserPWQuery "SELECT pw FROM database.table WHERE user = %s and login = 'true'
		
	ErrorDocument 401 /index.php

	<Files login.php>
  		# don't require user to already be logged in!
    		AuthDBDUserPWQuery "SELECT pw FROM database.table WHERE user = %s

    		# dbd-login action executes a statement to log user in
    		Require dbd-login
    		AuthzDBDQuery "UPDATE database.table SET login = 'true' WHERE user = %s"
	</Files>
</Directory>

Gregg · December 19, 2012, 10:44:03 PM

Thanks for coming back with that and Happy Holidays

NYOKUS · January 16, 2013, 11:59:53 AM

Hello,

I'd like to notice that I have also the same issue with the x64 binaries.
After having created the Apache Windows service, I'm not able to start it:

"
Faulting application name: httpd.exe, version: 2.4.3.0, time stamp: 0x502fde1c
Faulting module name: MSVCR90.dll, version: 9.0.30729.6161, time stamp: 0x4dace4e7
Exception code: 0xc0000005
Fault offset: 0x000000000001833e
Faulting process id: 0x1a48
Faulting application start time: 0x01cdf3c4b3f36e4a
Faulting application path: C:\E\Installed_programs\apache\httpd\bin\httpd.exe
Faulting module path: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.6161_none_08e61857a83bc251\MSVCR90.dll
Report Id: f4bfd3e3-5fb7-11e2-96dd-0050568b3be3

Fault bucket , type 0
Event Name: APPCRASH
Response: Not available
Cab Id: 0

Problem signature:
P1: httpd.exe
P2: 2.4.3.0
P3: 502fde1c
P4: MSVCR90.dll
P5: 9.0.30729.6161
P6: 4dace4e7
P7: c0000005
P8: 000000000001833e
P9:
P10:

Attached files:

These files may be available here:
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_httpd.exe_e69d22e5adfa4138ebec8d4537d688ce9572caf_10093561

Analysis symbol:
Rechecking for solution: 0
Report Id: f4bfd3e3-5fb7-11e2-96dd-0050568b3be3
Report Status: 4
"
Could someone help me to solve this issue?

thanks in advance

Regards

Gregg · January 18, 2013, 07:36:42 PM

Cannot reproduce but I'm not using dbd auth, just simple file.

Casi91 had to revert to x86 binaries to solve the problem.

Gregg · January 23, 2013, 11:14:11 AM

I'm wondering if both these are due to mod_session_dbd, at least the crash one and showing up mainly in x64.
https://issues.apache.org/bugzilla/show_bug.cgi?id=53452

This bug should be fixed in 2.4.4