Hello,
On 10/17/07 11:38, Henning Westerholt wrote:
On Thursday 04 October 2007, Daniel-Constantin Mierla wrote:
Revision: 2852
http://openser.svn.sourceforge.net/openser/?rev=2852&view=rev
Author: miconda
Date: 2007-10-04 06:22:45 -0700 (Thu, 04 Oct 2007)
Log Message:
-----------
- new PV: $adu - auth digest uri - the uri from auth credentials
- useful to tighten the security checks (can be now compared with To/R-URI
to see if it is intended destination used to compose the digest response) -
reported by Radu State
Some further informations for the archives:
This is the issue described in CVE-2007-5469:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5469?
More explanations:
http://lists.grok.org.uk/pipermail/full-disclosure/2007-October/066581.html
For older versions (>=1.0.0) the solution would be:
- write the body if Authorization/Proxy-Authorization header in an AVP
via avp_printf()
- do an avp_subst() and substract the value of the digest URI in another
AVP
- use avp_check() to check it against R-URI
The solution of letting the check in config file is to give more liberty
in performing it. Imagine that the proxies are behind a load balancer,
and the R-URI is changed by the LB, in that case all auth will fail. The
admin can add the initial R-URI in a special header at LB and in the
proxy compare that value with the digest URI. Embedding this check in
auth modules seemed too rigid.
Cheers,
Daniel
Cheers,
Henning
_______________________________________________
Devel mailing list
Devel@openser.org
http://openser.org/cgi-bin/mailman/listinfo/devel
