Apache Httpd < 2.2.34: ap_get_basic_auth_pw() Authentication Bypass

2017-02-06T00:00:00
ID HTTPD:3C869ED31997C0F748E2CD4FE85D0DA8
Type httpd
Reporter We would like to thank Emmanuel Dreyfus for reporting this issue.
Modified 2017-07-11T00:00:00

Description

Use of the ap_get_basic_auth_pw() by third-party modules outside of the authentication phase may lead to authentication requirements being bypassed.

Third-party module writers SHOULD use ap_get_basic_auth_components(), available in 2.2.34 and 2.4.26, instead of ap_get_basic_auth_pw(). Modules which call the legacy ap_get_basic_auth_pw() during the authentication phase MUST either immediately authenticate the user after the call, or else stop the request immediately with an error response, to avoid incorrectly authenticating the current request.