check_password() function from auth.c has couple of things disabled:
1. it does not check that URI in auth header equals to actual URI
2. it basically ignores cnonce set by the server
These two checks were enabled at some point, and then disabled :-)
This makes shttpd authentication vulnerable, for example, to replay attacks,
if non-SSL connections are used. For stronger authentication, I would do
this:
1. keep passwords file "as is". SHTTPD knows HA1 = MD5(user:domain:pass)
2. daemon knows the password. it can calculate HA1 = MD5(user:domain:pass)
3. daemon calculates X = MD5(HA1:ip:port:MD5(payload)) and sets the
user:domain:value in some header
4. shttpd calculates the same (get HA1 from the pass file), and compares the
calculated value.
This does a transaction in a single roundtrip.
Of course, SSL. Desirable, ACL. But, daemon must have a clear text password
somehow, I don't know how it'll keep it. With browsers, humans keep
passwords in their memory and type them in a prompt, daemon must do the
same?
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
shttpd-general mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shttpd-general
