Project

General

Profile

Actions

Bug #1598

closed

bypassing htdigest authentication by adding trailing "/" to the end of the url

Added by Anonymous over 16 years ago. Updated about 16 years ago.

Status:
Missing Feedback
Priority:
Normal
Category:
core
Target version:
ASK QUESTIONS IN Forums:

Description

Hi, I'm having this weird problem with the mod_auth module. I was trying to set up password protection for one of the directories for virtual host r-c.sytes.net. I have the following configuration in my lighttpd.conf:


server.modules = (
    "mod_access",
    "mod_auth",
......
......

$HTTP["host"] =~ "(^|\.)r-c\.sytes\.net$" {
server.document-root = "/var/www/r-c.sytes.net" 
server.errorlog = "/var/log/lighttpd/r-c.sytes.net/error.log" 
accesslog.filename = "/var/log/lighttpd/r-c.sytes.net/access.log" 
server.error-handler-404 = "/e404.php" 
auth.backend               = "htdigest" 
auth.backend.htdigest.userfile = "/etc/lighttpd/htdigest/passwd" 
auth.require               = ( "/fun" =>
                               (
                                 "method"  => "digest",
                                 "realm"   => "Restricted Area",
                                 "require" => "valid-user" 
                               ),
)
}

It's working as expected, that is, if I browse to http://r-c.sytes.net/fun
I would be prompted with the authentication window. However, I found out that I can easily bypass the password protection: When the authentication window pops up, I hit the "Escape" key, then I append a "/" to the end of the url, that is, I open http://r-c.sytes.net/fun/ and I was able to open the restricted page without a password! Is this a bug in the mod_auth? Also I was not able to use "htpasswd" as auth.backend, I got this message in the "error.log":

(http_auth.c.962) digest: unsupported backend (only htdigest or plain)

I'm using lighttpd-1.4.18-r3 with Gentoo 2007.0. Thank you in advance for your time.

-- ricochen27

Actions #1

Updated by admin over 16 years ago

The htpasswd backend is only usable for the basic method, not for the digest method, according to http://trac.lighttpd.net/trac/wiki/Docs%3AModAuth

server.errorlog = "/var/log/lighttpd/r-c.sytes.net/error.log"

You do know there can be only one error log, right?

Actions #2

Updated by admin over 16 years ago

I can't reproduce this issue:


server.modules = (
        "mod_auth" 
)

server.document-root = "/var/www" 
auth.backend = "htdigest" 
auth.backend.htdigest.userfile = "/etc/lighttpd/htdigest/passwd" 
auth.require = ( "/fun" =>
        (
                "method"  => "digest",
                "realm"   => "Restricted Area",
                "require" => "valid-user" 
        )
)

Can you?

I'm using 1.4.19 though, I think you should try 1.4.19 as well. ;)

Actions #3

Updated by stbuehler over 16 years ago

  • Status changed from New to Fixed
  • Resolution set to worksforme

Missing feedback; please attach a complete config which reproduces your problem if you reopen this bug (and please use 1.4.19 for testing)

Actions #4

Updated by stbuehler about 16 years ago

  • Status changed from Fixed to Missing Feedback
Actions

Also available in: Atom