httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marcus Meissner <meiss...@suse.de>
Subject Re: CVE-2003-1418 - still affects apache 2 current
Date Thu, 01 Sep 2011 15:09:47 GMT
On Thu, Sep 01, 2011 at 03:55:28PM +0100, Nick Kew wrote:
> On Thu, 1 Sep 2011 16:36:24 +0200
> Marcus Meissner <meissner@suse.de> wrote:
> 
> 
> > This just md5s the inodenr, right?
> > 
> > If yes, this is just obfuscation if you do not add some kind of random salt.
> > 
> > (You can still just do
> > 	for (i=0;i<...;i++) md5($i) 
> > and compare, including use of Rainbow Tables.)
> 
> Erm, yeah.  I guess brute force on 2^64 numbers is too easy,
> even if the information leaked is of low value.
> 
> Would you consider it strong enough if we aggregate
> inode+size+mtime and make the etag an md5 hash of that?
> Brings the benefit of a slightly shorter string with
> a patch that's still simple.

Both size and mtime are easily retrievable from remote,
you need to add some stuff the attacker cannot derive ;)

Ciao, Marcus

Mime
View raw message