lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <40238304.4090001@algroup.co.uk>
Date: Fri, 06 Feb 2004 12:05:24 +0000
From: Adam Laurie <adam@...roup.co.uk>
To: apache-ssl@...ts.aldigital.co.uk, apache-sslannounce@...ts.aldigital.co.uk,
   full-disclosure@...ts.netsys.com, bugtraq@...urityfocus.com
Subject: Apache-SSL security advisory - apache_1.3.28+ssl_1.52 and prior


Apache-SSL optional client certificate vulnerability
----------------------------------------------------

Synopsis
--------

If configured with SSLVerifyClient set to 1 or 3 (client certificates
optional) and SSLFakeBasicAuth, Apache-SSL 1.3.28+1.52 and all earlier
versions would permit a client to use real basic authentication to
forge a client certificate.

All the attacker needed is the "one-line DN" of a valid user, as used
by faked basic auth in Apache-SSL, and the fixed password ("password"
by default).

Fix
---

Install Apache-SSL 1.3.29+1.53 from the usual places (see
http://www.apache-ssl.org/).

Credits
-------

This vulnerability was found and reported by Wietse Venema.

cheers,
Adam
-- 
Adam Laurie                   Tel: +44 (20) 8742 0755
A.L. Digital Ltd.             Fax: +44 (20) 8742 5995
The Stores                    http://www.thebunker.net
2 Bath Road                   http://www.aldigital.co.uk
London W4 1LT                 mailto:adam@...roup.co.uk
UNITED KINGDOM                PGP key on keyservers

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ