Project

General

Profile

Bug #477

misformed auth exploit / DOS attack

Added by Anonymous almost 13 years ago. Updated over 12 years ago.

Status:
Fixed
Priority:
High
Assignee:
-
Category:
mod_auth
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Missing in 1.5.x:

Description

Misformed auth requests can cause lighttpd (1.4.9) to crash:

Program received signal SIGSEGV, Segmentation fault.
0x224f2a46 in http_auth_digest_check (srv=0x8068a48, con=0x0, p=0x807ffb0, req=0x8083758, url=0x0,
realm_str=0x80de76f "username=\"beta\", realm=\"Beta\", nonce=\"b1d12348b4620437c43dd61c50ae4639\", uri=\"/MJ-BONG.xm.mpc\", qop=auth, noncecount=00000001\", cnonce=\"036FCA5B86F7E7C4965C7F9B8FE714B7\", response=\"29B32C2953C763C6D03"...) at http_auth.c:931
931 MD5_Update(&Md5Ctx, (unsigned char *)nc, strlen(nc));

Chat excerpt:

<DEATH> Digest realm="Beta", nonce="b1d12348b4620437c43dd61c50ae4639", qop="auth"
<DEATH> Digest username="beta", realm="Beta", nonce="b1d12348b4620437c43dd61c50ae4639", uri="/MJ-BONG.xm.mpc", qop=auth, noncecount=00000001", cnonce="036FCA5B86F7E7C4965C7F9B8FE714B7", response="29B32C2953C763C6D033C8A49983B87E"
<DEATH> note bad " after noncecount

-- gcp

Associated revisions

Revision 971 (diff)
Added by jan almost 13 years ago

qop is required nc and nonce (fixes #477)

Revision 4a81e17c (diff)
Added by jan almost 13 years ago

qop is required nc and nonce (fixes #477)

git-svn-id: svn://svn.lighttpd.net/lighttpd/branches/lighttpd-merge-1.4.x@971 152afb58-edef-0310-8abb-c4023f1b3aa9

History

#1

Updated by jan almost 13 years ago

  • Status changed from New to Assigned

i can verify the bug and added a testcase to the testsuite.

#2

Updated by jan almost 13 years ago

  • Status changed from Assigned to Fixed
  • Resolution set to fixed

fixed in r971

Also available in: Atom