Date: Wed, 12 Mar 1997 17:45:43 +0100
From: "Dirk.vanGulik" <Dirk.vanGulik@jrc.it>
Message-Id: <9703121645.AA15878@ jrc.it>
To: new-httpd@hyperreal.com, ben@syd.au.swissbank.com
Subject: Re: [BUG]: "authentication bypassed by MSIE 3.01 users" on Solaris
 2.x (fwd)
Sender: new-httpd-owner@apache.org
Precedence: bulk
Reply-To: new-httpd@hyperreal.com

I have some trouble believing this; and reproducing; what I can
reproduce is

	1. if you have the page in the cache and press cancel/
	   abort or enter a wrong password and press cancel, you
	   will see the cahced page; even if you request it to
	   be explicitly cheched. The entry in the log (if the RQ
	   makes it, is just a AuthRQ.

	2. if you press cancel on old versions of MSIE, and you
	   have the save passwd on; it will use that (but you get
	   the right entry in the logfile)

	3. If is easy to make a dbm file with two null entries and
	   thus allow in a null passwd.

DW.


> Please tell me he's mistaken. This sounds too stupid to be true.
> 
> 
> ---------- Forwarded message ----------
> Date: Tue Mar 11 21:12:48 1997
> From: ben@syd.au.swissbank.com
> To: apache-bugs%apache.org@organic.com
> Subject: [BUG]: "authentication bypassed by MSIE 3.01 users" on Solaris 2.x
> 
> Submitter: ben@syd.au.swissbank.com
> Operating system: Solaris 2.x, version: 
> Version of Apache Used: 1.2b4
> Extra Modules used: 
> URL exhibiting problem: 
> 
> Symptoms:
> --
> Users of MS IE 3.01 (on NT 4.0) are able to
> bypass authentication by pressing the cancel button
> when asked to supply a user name and password.
> 
> Apache serves the pages, and writes a blank in
> the access log as the auth user. (Rather than the
> "-" for an unknown user.)
> 
> Other versions of MS IE, and other brosers are not
> able to do this. (They get an "authorisation
> failed" error message)
> 
> This is not listed in the bug list. I am upgrading
> to 1.2b7 to see if it exhibits the problem.
> --
> 
> Backtrace:
> --
> 
> --
> 
> 
>