[Solved] Security issues with Digest Authentication
Added by maj_coep almost 16 years ago
With Digest Authentication i observed that if we send Authorization header with some random nonce & corresponding response , lighttpd gives 200 OK. While in case of Apache , it says STALE = TRUE flag indicating that nonce was stale.
But Lighttpd does not compare incoming nonce & nonce what it has generated...
Which gives security threat & reply attacks if hacker can get realm from server ...
I want to implement it ...or does somebody already noticed it...(some hints)?
(Lighttpd 1.4.19)
Regards
Max
Replies (3)
RE: Security issues with Digest Authentication - Added by darix almost 16 years ago
this is even documented in the mod_auth documentation.
RE: Security issues with Digest Authentication - Added by gstrauss over 8 years ago
RE: Security issues with Digest Authentication - Added by gstrauss over 8 years ago
This will be fixed in lighttpd 1.4.41 (not yet released), with a 10 min lifetime of nonces.