httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nick Kew <n...@webthing.com>
Subject Re: CVE-2003-1418 - still affects apache 2 current
Date Thu, 01 Sep 2011 14:55:28 GMT
On Thu, 1 Sep 2011 16:36:24 +0200
Marcus Meissner <meissner@suse.de> wrote:


> This just md5s the inodenr, right?
> 
> If yes, this is just obfuscation if you do not add some kind of random salt.
> 
> (You can still just do
> 	for (i=0;i<...;i++) md5($i) 
> and compare, including use of Rainbow Tables.)

Erm, yeah.  I guess brute force on 2^64 numbers is too easy,
even if the information leaked is of low value.

Would you consider it strong enough if we aggregate
inode+size+mtime and make the etag an md5 hash of that?
Brings the benefit of a slightly shorter string with
a patch that's still simple.

-- 
Nick Kew

Mime
View raw message