oss-sec mailing list archives
Apache 2.2 HTTP Basic Auth bypass
From: Solar Designer <solar () openwall com>
Date: Tue, 28 Jul 2009 15:46:18 +0400
Hi, This is sort of an advance heads-up. ithilgore, an Nmap developer, CC'ed on this posting, mentioned on the nmap-dev mailing list (public) earlier today that he discovered an Apache HTTP Basic Auth bypass vulnerability, which is yet to be fully researched and reported. http://seclists.org/nmap-dev/2009/q3/0385.html ithilgore - I understand that you might have wanted to have a bit more time to play with this on your own, but you posted to a public list, which is why I consider it appropriate to post this to oss-security "without your consent" to let the distro vendors "prepare" (e.g., hold off on releasing update packages fixing some minor issues in anticipation of needing to add a critical fix in a matter of days - just to provide an example of how such advance notification can be of use). Of course, the Apache security team is represented on this list, too, so you might receive questions off-list, I guess. ;-) Alexander
Current thread:
- Apache 2.2 HTTP Basic Auth bypass Solar Designer (Jul 28)
- Re: Apache 2.2 HTTP Basic Auth bypass ithilgore (Jul 28)
- Re: Apache 2.2 HTTP Basic Auth bypass Solar Designer (Jul 28)
- Re: Apache 2.2 HTTP Basic Auth bypass ithilgore (Jul 28)
