Hello, I was wondering what the status of this report is: has it even been received? I've gotten no acknowledgement in two weeks or so. Thanks, Eugene
Thus spake Eugene Y. Vasserman on Mon, 20 Nov 2006: > From: "Eugene Y. Vasserman" <[EMAIL PROTECTED]> > Subject: Wget auth-md5 bug > Date: Mon, 20 Nov 2006 11:23:20 -0600 > To: [EMAIL PROTECTED] > > Hi, > I'm TAing a class on security, and some of the students in the class recently > discovered a wget bug that will (when using --http-user and --http-passwd) > transmit the username/password pair in cleartext (base64 encoded) even when > the website asks for md5 authentication. It seems wget will transmit the > --http-user and --http-passwd strings pre-emptively, or rather before the > site says what kind of authorization method is to be used. Therefore, even > when the authorization method is "secure", wget discloses passwords to > adversaries that have a sniffer running. > The version fo wget used is 1.10.2, or the latest available on the FTP site. > The students reporting this vulnerability were Mark Peloquin, Jon McLachln > and Aaron Schumacher. > Thanks, > Eugene > > Relevant portions of the TCPdump attached below: > > 11:13:13.596870 IP 172.16.5.102.2207 > 172.16.5.103.www: S > 1121427938:1121427938(0) win 5840 <mss 1460,sackOK,timestamp 241897729 > 0,nop,wscale 2> > E..<[EMAIL PROTECTED]@.&....f...g...PB............2......... > .k.......... > 11:13:13.596878 IP 172.16.5.103.www > 172.16.5.102.2207: S > 2035711342:2035711342(0) ack 1121427939 win 5792 <mss 1460,sackOK,timestamp > 300248124 241897729,nop,wscale 2> > E..<[EMAIL PROTECTED]@......g...f.P..yV}nB.......Lk......... > ..l<.k...... > 11:13:13.609660 IP 172.16.5.102.2207 > 172.16.5.103.www: . ack 1 win 1460 > <nop,nop,timestamp 241897730 300248124> > [EMAIL PROTECTED]@.&....f...g...PB...yV}o........... > .k....l< > 11:13:13.609946 IP 172.16.5.102.2207 > 172.16.5.103.www: P 1:166(165) ack 1 > win > 1460 <nop,nop,timestamp 241897730 300248124> > [EMAIL PROTECTED]@.&L...f...g...PB...yV}o........... > .k....l<GET /more-sekret/cheese HTTP/1.0 > User-Agent: Wget/1.10.2 > Accept: */* > Authorization: Basic c3R1ZGVudDI6aW1tdW5pemVz > Host: 172.16.5.103 > Connection: Keep-Alive > 11:13:13.610366 IP 172.16.5.103.www > 172.16.5.102.2207: . ack 166 win 1716 > <nop,nop,timestamp 300248129 241897730> > [EMAIL PROTECTED]@......g...f.P..yV}oB........s..... > ..lA.k.. > 11:13:13.611726 IP 172.16.5.103.www > 172.16.5.102.2207: P 1:954(953) ack 166 > win 1716 <nop,nop,timestamp 300248129 241897730> > E..../@[EMAIL PROTECTED] > ..lA.k..HTTP/1.1 401 Authorization Required > Date: Mon, 20 Nov 2006 17:13:13 GMT > Server: Apache/2.0.55 (Ubuntu) mod_ssl/2.0.55 OpenSSL/0.9.8a > WWW-Authenticate: Digest realm="Security by Misunderstanding", > nonce="0zs31bAiBAA=b11dc070a7628b66da822eece146b0e61bbc11d7", algorithm=MD5, > domain="/var/www/more-sekret", qop="auth" > Content-Length: 509 > Keep-Alive: timeout=15, max=100 > Connection: Keep-Alive > Content-Type: text/html; charset=iso-8859-1 > > > -- > Eugene Y. Vasserman > http://www.cs.umn.edu/~eyv/ -- Eugene Y. Vasserman http://www.cs.umn.edu/~eyv/