Bug #1598
closedbypassing htdigest authentication by adding trailing "/" to the end of the url
Description
Hi, I'm having this weird problem with the mod_auth module. I was trying to set up password protection for one of the directories for virtual host r-c.sytes.net. I have the following configuration in my lighttpd.conf:
server.modules = ( "mod_access", "mod_auth", ...... ...... $HTTP["host"] =~ "(^|\.)r-c\.sytes\.net$" { server.document-root = "/var/www/r-c.sytes.net" server.errorlog = "/var/log/lighttpd/r-c.sytes.net/error.log" accesslog.filename = "/var/log/lighttpd/r-c.sytes.net/access.log" server.error-handler-404 = "/e404.php" auth.backend = "htdigest" auth.backend.htdigest.userfile = "/etc/lighttpd/htdigest/passwd" auth.require = ( "/fun" => ( "method" => "digest", "realm" => "Restricted Area", "require" => "valid-user" ), ) }
It's working as expected, that is, if I browse to http://r-c.sytes.net/fun
I would be prompted with the authentication window. However, I found out that I can easily bypass the password protection: When the authentication window pops up, I hit the "Escape" key, then I append a "/" to the end of the url, that is, I open http://r-c.sytes.net/fun/ and I was able to open the restricted page without a password! Is this a bug in the mod_auth? Also I was not able to use "htpasswd" as auth.backend, I got this message in the "error.log":
(http_auth.c.962) digest: unsupported backend (only htdigest or plain)
I'm using lighttpd-1.4.18-r3 with Gentoo 2007.0. Thank you in advance for your time.
-- ricochen27
Updated by admin over 16 years ago
The htpasswd backend is only usable for the basic method, not for the digest method, according to http://trac.lighttpd.net/trac/wiki/Docs%3AModAuth
server.errorlog = "/var/log/lighttpd/r-c.sytes.net/error.log"
You do know there can be only one error log, right?
Updated by admin over 16 years ago
I can't reproduce this issue:
server.modules = ( "mod_auth" ) server.document-root = "/var/www" auth.backend = "htdigest" auth.backend.htdigest.userfile = "/etc/lighttpd/htdigest/passwd" auth.require = ( "/fun" => ( "method" => "digest", "realm" => "Restricted Area", "require" => "valid-user" ) )
Can you?
I'm using 1.4.19 though, I think you should try 1.4.19 as well. ;)
Updated by stbuehler over 16 years ago
- Status changed from New to Fixed
- Resolution set to worksforme
Missing feedback; please attach a complete config which reproduces your problem if you reopen this bug (and please use 1.4.19 for testing)
Updated by stbuehler about 16 years ago
- Status changed from Fixed to Missing Feedback
Also available in: Atom