You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2010/10/28 15:30:11 UTC
DO NOT REPLY [Bug 50172] New: Digest allows access bypassing secuity
https://issues.apache.org/bugzilla/show_bug.cgi?id=50172
Summary: Digest allows access bypassing secuity
Product: Apache httpd-2
Version: 2.2.17
Platform: Other
OS/Version: Linux
Status: NEW
Severity: normal
Priority: P2
Component: mod_auth_digest
AssignedTo: bugs@httpd.apache.org
ReportedBy: ej@cgram.com
I am not a very experienced Apache person, so please forgive me if I have this
wrong. If this is just user error, feel free to delete (although the solution
would be appreciated.)
Essentially there seems to be a way of bypassing Digest authentication. N.B.
these webpages are under development and sit in a sub-tree htdocs/website .
1. In my httpd.conf I have set "AllowOverride All" in all directories just to
be sure. It made no difference. The mod_auth_digest module is built-in using
the flag to 'configure'.
2. In the htdocs/protected directory I have a .htaccess file
AuthType Digest
AuthName "Please login"
AuthUserFile /srv/www/passwd
Require user users
ErrorDocument 401 "/website/preloginrequired.html"
ErrorDocument 404 "/website/preloginrequired.html"
Note that I use AuthUserFile because it works, whereas AuthDigestFile throws an
'Invalid command' line in error_log, plus authentication doesn't work.
3. I have a page htdocs/website/loginclientarea.html that essentially puts a
message on the screen that says "Please login", it also has
<body onLoad="window.location='protected/clientarea.html'">
As soon as the page has pasted, it tries to branch to the protected page,
causing the browser login box to appear. So I get a login page, and when they
have completed it successfully, they get into the protected page. Works on
every browser I can find, bar one.
On version 6.0.2800.1106.xpsl.020828-1920 of IE6 no browser login box is
presented and you arrive straight into the protected page without giving a
password. Just to make sure there is no issue of cached passwords etc. I have
changed the password on 'protected' twice and it still happens although this
browser has never logged into the protected page with the new password.
I suggest this is not a browser issue; the Apache server should not be handing
out the page without authentication under any circumstances. But it does.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org
DO NOT REPLY [Bug 50172] Digest allows access bypassing secuity
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=50172
Dan Poirier <po...@pobox.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |NEEDINFO
--- Comment #1 from Dan Poirier <po...@pobox.com> 2010-10-28 10:32:29 EDT ---
Can you get a network trace of IE6 accessing the protected page without a
userid/password? Also please provide the configuration files.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org