Ticket #1598 (closed defect: worksforme)

Opened 2 months ago

Last modified 2 weeks ago

bypassing htdigest authentication by adding trailing "/" to the end of the url

Reported by: ricochen27@gmail.com Assigned to: jan
Priority: normal Milestone: 1.4.20
Component: core Version: 1.4.18
Severity: normal Keywords:
Cc: Blocking:
Need Feedback: 1

Description

Hi, I'm having this weird problem with the mod_auth module. I was trying to set up password protection for one of the directories for virtual host r-c.sytes.net. I have the following configuration in my lighttpd.conf: 

server.modules = (
    "mod_access",
    "mod_auth",
......
......

$HTTP["host"] =~ "(^|\.)r-c\.sytes\.net$" {
server.document-root = "/var/www/r-c.sytes.net"
server.errorlog = "/var/log/lighttpd/r-c.sytes.net/error.log"
accesslog.filename = "/var/log/lighttpd/r-c.sytes.net/access.log"
server.error-handler-404 = "/e404.php"
auth.backend               = "htdigest"
auth.backend.htdigest.userfile = "/etc/lighttpd/htdigest/passwd"
auth.require               = ( "/fun" =>
                               (
                                 "method"  => "digest",
                                 "realm"   => "Restricted Area",
                                 "require" => "valid-user"
                               ),
)
}

It's working as expected, that is, if I browse to http://r-c.sytes.net/fun I would be prompted with the authentication window. However, I found out that I can easily bypass the password protection: When the authentication window pops up, I hit the "Escape" key, then I append a "/" to the end of the url, that is, I open http://r-c.sytes.net/fun/ and I was able to open the restricted page without a password! Is this a bug in the mod_auth? Also I was not able to use "htpasswd" as auth.backend, I got this message in the "error.log":

(http_auth.c.962) digest: unsupported backend (only htdigest or plain)

I'm using lighttpd-1.4.18-r3 with Gentoo 2007.0. Thank you in advance for your time.

Attachments

Change History

03/16/2008 01:49:32 PM changed by Olaf van der Spek

The htpasswd backend is only usable for the basic method, not for the digest method, according to http://trac.lighttpd.net/trac/wiki/Docs%3AModAuth

server.errorlog = "/var/log/lighttpd/r-c.sytes.net/error.log"

You do know there can be only one error log, right?

03/16/2008 01:59:38 PM changed by Olaf van der Spek

  • version changed from 1.4.19 to 1.4.18.

I can't reproduce this issue: 

server.modules = (
        "mod_auth"
)

server.document-root = "/var/www"
auth.backend = "htdigest"
auth.backend.htdigest.userfile = "/etc/lighttpd/htdigest/passwd"
auth.require = ( "/fun" =>
        (
                "method"  => "digest",
                "realm"   => "Restricted Area",
                "require" => "valid-user"
        )
)

Can you?

I'm using 1.4.19 though, I think you should try 1.4.19 as well. ;)

04/29/2008 01:05:27 PM changed by stbuehler

  • status changed from new to closed.
  • resolution set to worksforme.

Missing feedback; please attach a complete config which reproduces your problem if you reopen this bug (and please use 1.4.19 for testing)

Add/Change #1598 (bypassing htdigest authentication by adding trailing "/" to the end of the url)




Change Properties
Action