httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rob Hartill <>
Subject Forwarded mail....
Date Thu, 22 May 1997 19:26:25 GMT

 Date: Thu, 22 May 97 16:09:23 +0200
 From: Tankred Hirschmann <>
 Message-Id: <>
 Apparently-To: <>

To whom it may concern,

I plan to substitute the old fasion NCSA httpd 1.4.2 (which serves our
Web-Site) by the apache daemon (v. 1.2.b10). Thus I tested in a preliminary
phase nearly any of the configuration directives... During this I found
following points of question:

A request of a ressource which requires digest authorization
can contain a request header

	Authorization: Digest ... nonce="value", ...

there `value' is an ARBITRARY string. It seems that there is absolutely no
correlation with a nonce-value given in a previous response-header necessary.
Indeed, by a very coarse view through the source code I didn't found any
usage of the "nonce" else the check of its existence in the appropriate 
header line.
	Therefore the current implementation is as secure as it were
without any `nonce'. The HTTP/1.1 RFC characterize this as security flaw...

Are there plans to change this implementation in future (beta) releases?

The header "replace/remove" directive only workes with headers comming from
other header directives. But a "hard-wired" header produced by a cgi-script or
a asis-file (or induced by a cern_meta construct) remains untouched.

Is this behavior purposed? If it is, a statement in the manual about this fact
may be helpful.

It would be nice to help me with some remarks about these points.

Good luck with your beautiful project and
Thanks in advance

Tankred Hirschmann

Dr. Tankred Hirschmann		Tel.: +49 (331) 977-1186 oder -1178
Universitaet Potsdam		Tel.: +49 (331) 977-1269 (Sekretariat)
Institut fuer Mathematik	Fax:  +49 (331) 977-1440
Am Neuen Palais 10 (Haus 8)	e-mail:
14469 Potsdam			WWW:

View raw message