You are viewing a plain text version of this content. The canonical link for it is here.
Posted to apache-bugdb@apache.org by Joanna Gaski <jg...@wpi.edu> on 1997/04/04 22:20:02 UTC
config/315: causes two password queries unless given fqdn.
>Number: 315
>Category: config
>Synopsis: <LIMIT> causes two password queries unless given fqdn.
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: apache (Apache HTTP Project)
>State: open
>Class: sw-bug
>Submitter-Id: apache
>Arrival-Date: Fri Apr 4 12:20:02 1997
>Originator: jgaski@wpi.edu
>Organization:
apache
>Release: 1.2b7
>Environment:
Digital Unix 4.0B, cc compiler
>Description:
This problem occurs when using the new "satisfy any" match ability for .htaccess
files. Using this .htaccess file in /info/test:
<Limit GET>
satisfy any
order deny,allow
deny from all
allow from bert.wpi.edu
Authname test
AuthType Basic
AuthUserFile /www/docs/info/test/passwd
require valid-user
errordocument 403 http://www.wpi.edu/Stratplan/sorry.html
</Limit>
When a request is made for the page from another domain, Netscape queries the
user twice for their password, UNLESS the URL for the requested page contains
the server's fully qualified domain name, with the domain in all caps. In this
case, the user is only queried once.
>How-To-Repeat:
No, because you aren't in our password file. It should be easy to recreate
on another system.
>Fix:
It may be that the time it takes the webserver to qualify the domain name is
causing the problem. Another clue would be that the two password validation
boxes are different sizes, meaning that they are generated in different parts
of the code. Sorry can't help more
>Audit-Trail:
>Unformatted:
Re: config/315: causes two password queries unless given fqdn.
Posted by Alexei Kosut <ak...@nueva.pvt.k12.ca.us>.
On Sat, 5 Apr 1997, Marc Slemko wrote:
[...]
> I was thinking more along the lines of sending a 301 right away instead of
> a 401 based on the authorization required for the parent directory. If
> you treat "foo" as a file in the parent directory and "foo/" as a
> subdirectory, I think it makes sense to allow "access" (ie. a redirect) to
> "foo" if access would be granted to the parent of the foo directory.
Ah, okay. That makes sense.
> I agree with you that doing what I suggest for _any_ directory would give
> away information that should not be given away. As you also point out,
> implementation is another issue.
Yes, it is. Apache doesn't treat ever treat directories (with or
without slashes) as files in the parent directory. So even if we
wanted to do this, the current setup doesn't give you access to the
per-dir setup for the parent directory, only the "child" one. You'd
have to do something like strip off the last path segment, feed it
back as a subrequest, and that could cause even worse problems, I
think.
Although that's just a first glance at an answer; I haven't checked
the code in great detail either.
--
________________________________________________________________________
Alexei Kosut <ak...@nueva.pvt.k12.ca.us> The Apache HTTP Server
URL: http://www.nueva.pvt.k12.ca.us/~akosut/ http://www.apache.org/
Re: config/315: causes two password queries unless given fqdn.
Posted by Dean Gaudet <dg...@arctic.org>.
Someone who knows mod_rewrite better than me could probably whip up something
that issues a redirect when HTTP_HOST != SERVER_NAME ...
Dean
Re: config/315: causes two password queries unless given fqdn.
Posted by Marc Slemko <ma...@worldgate.com>.
On Sat, 5 Apr 1997, Alexei Kosut wrote:
> On Sat, 5 Apr 1997, Marc Slemko wrote:
>
> > The answer to this (psst... another FAQ?) is probably that Apache is
> > issuing a redirect which causes it to be a different server as far as the
> > client knows, making it reprompt for the name.
> >
> > If the directory /foo/ is protected, is there any reason why a request for
> > /foo needs to return a 401? Would it cause a security hole if it just
> > returned the redirect to /foo/ without requiring authentication? That
> > would eliminate this frequent problem; Netscape Commerce 1.1 avoids the
> > problem by doing things this way.
>
> I think that would be a security problem (not to mention a bit tricky
> given Apache's authentication model), for the same reason we return
> 401/403 and not 404 when there is an unauthorized request for a
> non-existant file: It tells a potentially unwanted visitor something
> about a private area of your site, namely that a file doesn't
> exist. This means that if you know that the server behaves that way,
> you can quickly find out which files *do* exist (they return 401/403
> instead of 404). Having Apache return 301 instead of 401/403 would
> produce the same problem: it would then be possible to find out if a
> directory existed or not, simply by testing its URL sans slash.
I was thinking more along the lines of sending a 301 right away instead of
a 401 based on the authorization required for the parent directory. If
you treat "foo" as a file in the parent directory and "foo/" as a
subdirectory, I think it makes sense to allow "access" (ie. a redirect) to
"foo" if access would be granted to the parent of the foo directory.
I agree with you that doing what I suggest for _any_ directory would give
away information that should not be given away. As you also point out,
implementation is another issue.
This is quite an annoying problem when trying to use authentication on a
server that people refer to by more than one name. Guess you could fake
it to some degree by using "Host:" based virtual hosts. You could also
hack the server to send a redirect to the real ServerName if it gets a
request that requires authentication but has a "Host:" header with some
other name in, but neither of those are real solutions. Yes, yes... there
are no real solutions while being forced to stick with basic
authentication by silly browsers.
Re: config/315: causes two password queries unless given fqdn.
Posted by Alexei Kosut <ak...@nueva.pvt.k12.ca.us>.
On Sat, 5 Apr 1997, Marc Slemko wrote:
> The answer to this (psst... another FAQ?) is probably that Apache is
> issuing a redirect which causes it to be a different server as far as the
> client knows, making it reprompt for the name.
>
> If the directory /foo/ is protected, is there any reason why a request for
> /foo needs to return a 401? Would it cause a security hole if it just
> returned the redirect to /foo/ without requiring authentication? That
> would eliminate this frequent problem; Netscape Commerce 1.1 avoids the
> problem by doing things this way.
I think that would be a security problem (not to mention a bit tricky
given Apache's authentication model), for the same reason we return
401/403 and not 404 when there is an unauthorized request for a
non-existant file: It tells a potentially unwanted visitor something
about a private area of your site, namely that a file doesn't
exist. This means that if you know that the server behaves that way,
you can quickly find out which files *do* exist (they return 401/403
instead of 404). Having Apache return 301 instead of 401/403 would
produce the same problem: it would then be possible to find out if a
directory existed or not, simply by testing its URL sans slash.
In other words, -1
--
________________________________________________________________________
Alexei Kosut <ak...@nueva.pvt.k12.ca.us> The Apache HTTP Server
URL: http://www.nueva.pvt.k12.ca.us/~akosut/ http://www.apache.org/
Re: config/315: causes two password queries unless given fqdn.
Posted by Marc Slemko <ma...@znep.com>.
The answer to this (psst... another FAQ?) is probably that Apache is
issuing a redirect which causes it to be a different server as far as the
client knows, making it reprompt for the name.
If the directory /foo/ is protected, is there any reason why a request for
/foo needs to return a 401? Would it cause a security hole if it just
returned the redirect to /foo/ without requiring authentication? That
would eliminate this frequent problem; Netscape Commerce 1.1 avoids the
problem by doing things this way.
Don't have time to look at the code right now...
On Fri, 4 Apr 1997, Joanna Gaski wrote:
>
> >Number: 315
> >Category: config
> >Synopsis: <LIMIT> causes two password queries unless given fqdn.
> >Confidential: no
> >Severity: non-critical
> >Priority: medium
> >Responsible: apache (Apache HTTP Project)
> >State: open
> >Class: sw-bug
> >Submitter-Id: apache
> >Arrival-Date: Fri Apr 4 12:20:02 1997
> >Originator: jgaski@wpi.edu
> >Organization:
> apache
> >Release: 1.2b7
> >Environment:
> Digital Unix 4.0B, cc compiler
> >Description:
> This problem occurs when using the new "satisfy any" match ability for .htaccess
> files. Using this .htaccess file in /info/test:
> <Limit GET>
> satisfy any
> order deny,allow
> deny from all
> allow from bert.wpi.edu
> Authname test
> AuthType Basic
> AuthUserFile /www/docs/info/test/passwd
> require valid-user
> errordocument 403 http://www.wpi.edu/Stratplan/sorry.html
> </Limit>
>
> When a request is made for the page from another domain, Netscape queries the
> user twice for their password, UNLESS the URL for the requested page contains
> the server's fully qualified domain name, with the domain in all caps. In this
> case, the user is only queried once.
> >How-To-Repeat:
> No, because you aren't in our password file. It should be easy to recreate
> on another system.
> >Fix:
> It may be that the time it takes the webserver to qualify the domain name is
> causing the problem. Another clue would be that the two password validation
> boxes are different sizes, meaning that they are generated in different parts
> of the code. Sorry can't help more
> >Audit-Trail:
> >Unformatted:
>
>
Re: config/315: causes two password queries unless given fqdn.
Posted by Dean Gaudet <dg...@arctic.org>.
There is no way for apache (or any web server) to know what domain a
user's client uses to resolve unqualified addresses. This is a
client-side issue... not only does it mess up www-authentication, it
breaks any cookie code if you use it. You'll have to train your users to
use FQDNs or have a link somewhere that takes them into your authenticated
hierarchy using a FQDN.
In your case it might also be that your 403 errordoc requires auth...
which of course is problematic :)
Dean
On Fri, 4 Apr 1997, Joanna Gaski wrote:
>
> >Number: 315
> >Category: config
> >Synopsis: <LIMIT> causes two password queries unless given fqdn.
> >Confidential: no
> >Severity: non-critical
> >Priority: medium
> >Responsible: apache (Apache HTTP Project)
> >State: open
> >Class: sw-bug
> >Submitter-Id: apache
> >Arrival-Date: Fri Apr 4 12:20:02 1997
> >Originator: jgaski@wpi.edu
> >Organization:
> apache
> >Release: 1.2b7
> >Environment:
> Digital Unix 4.0B, cc compiler
> >Description:
> This problem occurs when using the new "satisfy any" match ability for .htaccess
> files. Using this .htaccess file in /info/test:
> <Limit GET>
> satisfy any
> order deny,allow
> deny from all
> allow from bert.wpi.edu
> Authname test
> AuthType Basic
> AuthUserFile /www/docs/info/test/passwd
> require valid-user
> errordocument 403 http://www.wpi.edu/Stratplan/sorry.html
> </Limit>
>
> When a request is made for the page from another domain, Netscape queries the
> user twice for their password, UNLESS the URL for the requested page contains
> the server's fully qualified domain name, with the domain in all caps. In this
> case, the user is only queried once.
> >How-To-Repeat:
> No, because you aren't in our password file. It should be easy to recreate
> on another system.
> >Fix:
> It may be that the time it takes the webserver to qualify the domain name is
> causing the problem. Another clue would be that the two password validation
> boxes are different sizes, meaning that they are generated in different parts
> of the code. Sorry can't help more
> >Audit-Trail:
> >Unformatted:
>
>
>