Project

General

Profile

[Solved] Security issues with Digest Authentication

Added by maj_coep almost 16 years ago

With Digest Authentication i observed that if we send Authorization header with some random nonce & corresponding response , lighttpd gives 200 OK. While in case of Apache , it says STALE = TRUE flag indicating that nonce was stale.

But Lighttpd does not compare incoming nonce & nonce what it has generated...

Which gives security threat & reply attacks if hacker can get realm from server ...

I want to implement it ...or does somebody already noticed it...(some hints)?
(Lighttpd 1.4.19)

Regards

Max


Replies (3)

RE: Security issues with Digest Authentication - Added by darix almost 16 years ago

this is even documented in the mod_auth documentation.

RE: Security issues with Digest Authentication - Added by gstrauss over 8 years ago

This will be fixed in lighttpd 1.4.41 (not yet released), with a 10 min lifetime of nonces.

    (1-3/3)