You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2002/08/17 16:08:21 UTC
DO NOT REPLY [Bug 11790] New: -
Information disclosure on mod_auth ( apache 1.3.26 )
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=11790>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND
INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=11790
Information disclosure on mod_auth ( apache 1.3.26 )
Summary: Information disclosure on mod_auth ( apache 1.3.26 )
Product: Apache httpd-1.3
Version: 1.3.26
Platform: PC
OS/Version: Other
Status: UNCONFIRMED
Severity: Normal
Priority: Other
Component: Auth/Access
AssignedTo: bugs@httpd.apache.org
ReportedBy: apaterno@dsnargentina.com.ar
Hi, I have found a discrepancy between mod_auth and ServerTokens Prod.
Using, openbsd CURRENT , apache 1.3.26, as the example:
I add the following line to the httpd.conf file :
ServerTokens Prod
So, when I try to get the version/modules of apache with the HEAD
method, I obtain as a reply only the type of the server :
HEAD / HTTP/1.0\r\n\r\n
[info]
Server: Apache
[info]
But , when I enable mod_auth and try to access the protected directory
with an invalid username / password, I obtain the following errror :
401 Authorization Required
[bleh bleh info]
Apache/1.3.26 Server at xxxxx Port 80
Giving me the version of the apache server.
I'm not an apache guru, but from from my point of view this seems to be a
flaw(?) in the mod_auth module.
Comments appreciated.
Best Regards.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org