Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Tue, 28 Jul 2009 16:54:26 +0400
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Cc: ithilgore <ithilgore.ryu.l@...il.com>
Subject: Re: Apache 2.2 HTTP Basic Auth bypass

On Tue, Jul 28, 2009 at 03:27:52PM +0300, ithilgore wrote:
>  I am not sure yet if this works on Apache 2.2.11 which is the latest release. I have tried
> and reproduced it on some earlier versions (e.g Apache 2.2.2). Thus I wouldn't really mark
> it as that critical yet, since up-to-date servers might not really be vulnerable.

I never implied it was "critical", yet it sounded "fairly important",
and it still does, even if it only affects specific non-latest versions.
When maintaining older distro releases / stable branches, distro vendors
tend to back-port known security fixes, so even if an issue is no longer
present in the latest version and even if older versions have other
"equivalent" or "worse" vulnerabilities, that does not make your
discovery unimportant.  In fact, this back-porting approach appears to
be more common than updating a non-development release/branch to a new
upstream version.  Thus, there may well be "latest" distro packages of
older versions of Apache with all other known important security issues
fixed.  Also, systems administrators may not be "blindly" updating to
latest upstream releases - they may be relying on documentation of known
important issues to decide when to upgrade.

> All in all, for now I wouldn't really make that much of an issue about it and I don't think that
> the vendors need to hold off releasing anything if they have to.

OK, thanks for sharing your opinion.  I think the vendors will decide
for themselves.

BTW, I wouldn't be too surprised if the problem turns out not to be an
Apache bug, after all, but rather something specific to your system.

> Anyway, I had already mentioned
> it in the lists some days earlier and for some reason that didn't attract any attention (perhaps because
> I didn't use the word 0day there): http://seclists.org/nmap-dev/2009/q3/0305.html

Yes, I am "guilty" of having missed that.  I am not watching nmap-dev
discussions closely.

> I am in the process of further investigating the issue, however.

Great.  I suggest that you work with Apache security folks off-list to
get the details figured out.  Since you did not reveal anything very
specific yet (other than that a development version of Ncrack triggers
the problem on a system of yours), it makes sense to possibly reduce the
window of exposure by coming up with a fix before the bug is fully
disclosed.

Thanks,

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.