Bug#230999: [CAN-2003-0987] mod_digest for Apache does not properly verify the nonce of a client response by using a AuthNonce secret.
* J.H.M. Dassen (Ray) (firstname.lastname@example.org) wrote :
> On Tue, Feb 03, 2004 at 14:05:25 -0800, Matt Zimmerman wrote:
> > > mod_digest for Apache does not properly verify the nonce of a client
> > > response by using a AuthNonce secret.
> > Can anyone explain the true impact of this bug?
In a purely social context, it probably isn't particularily high - very few
sites use digest auth since (a) it's broken in IE and (b) Basic over SSL is
easier to set up and more widely available.
I'll check out exactly what response upstream will be making and what the
urgency they feel for the problem is.