[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Basic Auth. Password Matching

Hi all,

I discovered a feature or bug about basic authentication mechanism.

If the password matches the following[1] regexp, and includes any
garbage characters at the end of its, server says OK.

For example:

our password is testing15, and the user enters testing15uaik it will
be sent HTTP 200 Ok.

I'm using Debian Sarge, Apache 2.0.54 (from apt repository), and
latest security updates applied.


[1] ^(.*)[0-9]{2}$

Cafer 'cfb' Şimşek

Reply to: