Full_Name: Piet Ruyssinck
Version: 2.6.3-1.3.12
OS: Solaris
Submission from: (NULL) (157.193.44.18)
I have an apache 1.3.12 webserver running over SSL (via mod_ssl). SSL,
of course, because I'm doing Basic Authentication and I dont want my
users' passwords to be eavesdropped upon.
Let the URL to some protected page be
https://myhost.my.domain/topsecret/index.html
The security issue/hole here is that when you would direct your browser
to http://myhost.my.domain:433/topsecret/index.html you will be asked
for your credentials, which are then transmitted unencrypted (i.e. not
over SSL). At this point, the apache httpd will return some protocol
mismatch error message, but this is AFTER you have sent you cleartext
credentials.
Why would I go to this wrong URL ? I wouldn't of course. But someone
else (someone with the means to eavesdrop on the communication) might
try to lure people into using this wrong URL by setting up a web page
containing such a phony link to my site.
If I understand correctly what the software is doing, the
server answers the regular http request with a regular http reply
containing a 401 error. The browser sends the basic authentication
credentials in a second http request, again to port 443. At that
point the server delivers a protocol-mismatch error.
If that's what's happening, then it seems to me that it's clearly a
bug in the server, which should have delivered the protocol-mismatch
error on the first request, instead of demanding credentials.
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
