httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Roy T. Fielding" <>
Subject Re: NTLM HTTP Authentication is insecure by design - a new writeup by Amit Klein
Date Tue, 19 Jul 2005 08:57:19 GMT
On Jul 18, 2005, at 12:30 PM, William A. Rowe, Jr. wrote:
>>                     NTLM HTTP Authentication
>>              (and possibly other connection-oriented
>>          HTTP authentication and authorization protocols)
>>                      is insecure by design

Yep, no shit -- that's what the Microsoft fools were told when
they introduced it.

>> *) The web server (IIS/6.0) must receive a Via-less request. The
>> Microsoft implementation assumes that the Via header is always sent
>> by a proxy server, and this is indeed mandated by the HTTP/1.1 RFC
>> 2616 (, section 14.45:
>>  The Via general-header field MUST be used by gateways and proxies
>>  to indicate the intermediate protocols and recipients between the
>>  user agent and the server on requests [...]


>> However, it seems that not all servers adhere to this standard. For
>> example, Apache 2.0.54 mod_proxy does not generate a Via header by
>> default (see the ProxyVia directive -
>>, yet
>> the default httpd.conf file contains a commented-out "ProxyVia On"
>> directive, so it's possible that many Apache proxy deployments do

WTF?  That's a bug.

>> *) Proxy vendors ­ do not to share TCP connections to the server
>> among several clients. Yes, it improves performance, but it's also
>> insecure and enables/aids 3 different attacks (the one described
>> here, HTTP Request Smuggling and HTTP Response Splitting).
>> Also, comply to the RFC and send the HTTP Via request header by
>> default (Apache Group - please take note).
> As reverse proxy is never enabled without intent, the impact of
> Apache on this vector is very low (note that Amit deliberately
> introduced this into his reproduction case) - but anyone who has
> intentionally used Apache as a reverse proxy to protect sensitive
> IIS servers behind their DMZ using NTLM auth is vulnerable (as are
> users of various NTLM Apache auth modules sitting behind Apache
> reverse proxies.)

We don't really need to get in between their gun and their foot.

> My thinking is that rather than 'revealing' the reverse proxy
> origin server, we should be dumping the auth headers if they are

I don't think that will work from the browser's perspective.
I would just mark the connection as being in use by a single
client and remove it when the client closes.


View raw message