httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marc Slemko <ma...@znep.com>
Subject Communicator 4.04 little bug (fwd)
Date Mon, 08 Dec 1997 17:03:04 GMT
Sigh.

---------- Forwarded message ----------
Date: Sun, 7 Dec 1997 18:34:30 +0000
From: Kenobi <kenobi@PULHAS.ORG>
To: BUGTRAQ@NETSPACE.ORG
Subject: Communicator 4.04 little bug

hi!

i was testing some stuff with Digest Authentication and notice this little
problem with Communicator 4.04 (Tested on Linux and NT). IE3.02 (the only
available around here) does not experience this problem.

Apparently Communicator does not suport Digest Auth but it still accepts
the challenge. After the user enter his username and password, Communicator
sends it to the server but obfuscated with Basic.

Now, if you set up a site protected with Digest, you would expect the
password not to travel plaintext (basic is plaintext) on the network, but
that is what happens.

the correct procedure would be to fail right there when he receives the
WWW-Authenticate: Digest header, like IE does.

--
Kenobi, JAPH BOFH Not-Eng
http://www.pulhas.org/~kenobi/
kenobi@pulhas.org
 -- I dunno, I dream in Perl, sometimes -- LWall


Mime
View raw message