DO NOT REPLY [Bug 11790] New: - Information disclosure on mod_auth ( apache 1.3.26 )

[bu...@apache.org]

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=11790>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=11790

Information disclosure on mod_auth ( apache 1.3.26 )

           Summary: Information disclosure on mod_auth ( apache 1.3.26 )
           Product: Apache httpd-1.3
           Version: 1.3.26
          Platform: PC
        OS/Version: Other
            Status: UNCONFIRMED
          Severity: Normal
          Priority: Other
         Component: Auth/Access
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: apaterno@dsnargentina.com.ar


Hi, I have found  a discrepancy between mod_auth and ServerTokens Prod.
  
Using, openbsd CURRENT , apache 1.3.26, as the example:
  
I add the following line to the httpd.conf file :
  
ServerTokens Prod
  
So, when I try to get the version/modules of apache with the HEAD
method, I obtain as a reply only the type of the server :
  
 HEAD / HTTP/1.0\r\n\r\n

[info]
Server: Apache
[info]

But , when I enable mod_auth and try to access the protected directory
with an invalid username / password, I obtain the following errror :

401 Authorization Required
[bleh bleh info]
Apache/1.3.26 Server at xxxxx Port 80

Giving me the version of the apache server.

I'm not an apache guru, but from from my point of view this seems to be a
flaw(?) in the mod_auth module.

Comments appreciated.

Best Regards.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org