httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ben Laurie <...@algroup.co.uk>
Subject Re: [patch] digest replay protection
Date Sat, 20 Dec 2003 14:20:06 GMT
Dirk-Willem van Gulik wrote:

> Right now we do not verify the nonce using in digest. This means that
> an attacker can replay the response from another site or section
> on the web site if
> 
> ->	the users username+password is the same across the site.
> ->	the realm name is the same
> 
> Unfortunately that is often the case (and for the real, there
> is a lot of DAV and webdav out there).
> 
> Below somewhat addresses that by veryfing that the nonce
> is actually our own.

This doesn't appear to check that the timestamp is anywhere near now, 
which would prevent same-site replays...

Cheers,

Ben.

-- 
http://www.apache-ssl.org/ben.html       http://www.thebunker.net/

"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff

Mime
View raw message