[Solved] Security issues with Digest Authentication

With Digest Authentication i observed that if we send Authorization header with some random nonce & corresponding response , lighttpd gives 200 OK. While in case of Apache , it says STALE = TRUE flag indicating that nonce was stale.

But Lighttpd does not compare incoming nonce & nonce what it has generated...

Which gives security threat & reply attacks if hacker can get realm from server ...

I want to implement it ...or does somebody already noticed it...(some hints)?
(Lighttpd 1.4.19)

Regards

Max

Replies (3)

RE: Security issues with Digest Authentication - Added by darix over 15 years ago

this is even documented in the mod_auth documentation.

RE: Security issues with Digest Authentication - Added by gstrauss almost 8 years ago

See also:
https://redmine.lighttpd.net/issues/806
https://redmine.lighttpd.net/issues/1844

RE: Security issues with Digest Authentication - Added by gstrauss almost 8 years ago

This will be fixed in lighttpd 1.4.41 (not yet released), with a 10 min lifetime of nonces.

(1-3/3)

Project

General

Profile

Lighttpd