Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 28 Jul 2009 16:54:26 +0400
From: Solar Designer <>
Cc: ithilgore <>
Subject: Re: Apache 2.2 HTTP Basic Auth bypass

On Tue, Jul 28, 2009 at 03:27:52PM +0300, ithilgore wrote:
>  I am not sure yet if this works on Apache 2.2.11 which is the latest release. I have tried
> and reproduced it on some earlier versions (e.g Apache 2.2.2). Thus I wouldn't really mark
> it as that critical yet, since up-to-date servers might not really be vulnerable.

I never implied it was "critical", yet it sounded "fairly important",
and it still does, even if it only affects specific non-latest versions.
When maintaining older distro releases / stable branches, distro vendors
tend to back-port known security fixes, so even if an issue is no longer
present in the latest version and even if older versions have other
"equivalent" or "worse" vulnerabilities, that does not make your
discovery unimportant.  In fact, this back-porting approach appears to
be more common than updating a non-development release/branch to a new
upstream version.  Thus, there may well be "latest" distro packages of
older versions of Apache with all other known important security issues
fixed.  Also, systems administrators may not be "blindly" updating to
latest upstream releases - they may be relying on documentation of known
important issues to decide when to upgrade.

> All in all, for now I wouldn't really make that much of an issue about it and I don't think that
> the vendors need to hold off releasing anything if they have to.

OK, thanks for sharing your opinion.  I think the vendors will decide
for themselves.

BTW, I wouldn't be too surprised if the problem turns out not to be an
Apache bug, after all, but rather something specific to your system.

> Anyway, I had already mentioned
> it in the lists some days earlier and for some reason that didn't attract any attention (perhaps because
> I didn't use the word 0day there):

Yes, I am "guilty" of having missed that.  I am not watching nmap-dev
discussions closely.

> I am in the process of further investigating the issue, however.

Great.  I suggest that you work with Apache security folks off-list to
get the details figured out.  Since you did not reveal anything very
specific yet (other than that a development version of Ncrack triggers
the problem on a system of yours), it makes sense to possibly reduce the
window of exposure by coming up with a fix before the bug is fully



Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.