[BugDB] Client Authentication BUG with FakeBasicAuth (PR#695)

Thu, 18 Apr 2002 09:07:55 -0700 

Full_Name: Sergio Rabellino
Version: 2.8.8
OS: Solaris 7
Submission from: (NULL) (130.192.239.73)


The "if" in ssl_engine_kernel.c at line 1130 to check against DN/password
authorization
directly form a client, break also the internal redirect done by apache under
some conditions, as the directory indexing ...

So if you use client auth, with fake basic auth and require an index, you get a
301 followed by a 403 (Forbidden)...

Below i've attached a diff patch to correct this behaviour; i've tested it on my
hosts
and all things should be fine now.

Thanks to Nick Miles for pinpointing me to the solution.

Bye.

---snip
1130,1147d1129
<      * Make sure the user is not able to fake the client certificate
<      * based authentication by just entering an X.509 Subject DN
<      * ("/XX=YYY/XX=YYY/..") as the username and "password" as the
<      * password.
<      */
<     if ((cpAL = ap_table_get(r->headers_in, "Authorization")) != NULL) {
<         if (strcEQ(ap_getword(r->pool, &cpAL, ' '), "Basic")) {
<             while (*cpAL == ' ' || *cpAL == '\t')
<                 cpAL++;
<             cpAL = ap_pbase64decode(r->pool, cpAL);
<             cpUN = ap_getword_nulls(r->pool, &cpAL, ':');
<             cpPW = cpAL;
<             if (cpUN[0] == '/' && strEQ(cpPW, "password"))
<                 return FORBIDDEN;
<         }
<     }
< 
<     /*
1158a1141,1161
>       {
>       /*
>       * Make sure the user is not able to fake the client certificate
>       * based authentication by just entering an X.509 Subject DN
>       * ("/XX=YYY/XX=YYY/..") as the username and "password" as the
>       * password.
>       */
>       if ((cpAL = ap_table_get(r->headers_in, "Authorization")) != NULL) {
>               if (strcEQ(ap_getword(r->pool, &cpAL, ' '), "Basic")) {
>               while (*cpAL == ' ' || *cpAL == '\t')
>                       cpAL++;
>               cpAL = ap_pbase64decode(r->pool, cpAL);
>               cpUN = ap_getword_nulls(r->pool, &cpAL, ':');
>               cpPW = cpAL;
>               if (cpUN[0] == '/' && strEQ(cpPW, "password"))
>               {
>                       ssl_log(r->server, SSL_LOG_INFO, "WARNING: Old mod_ssl
breakthrough solicited (FakeBasicAuth by DN) !");
>                       return FORBIDDEN;
>               }
>               }
>       }
1159a1163
>       }
1160a1165
> 
--snip
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      [EMAIL PROTECTED]
Automated List Manager                            [EMAIL PROTECTED]

Reply via email to