Basic Auth. Password Matching
Hi all,
I discovered a feature or bug about basic authentication mechanism.
If the password matches the following[1] regexp, and includes any
garbage characters at the end of its, server says OK.
For example:
our password is testing15, and the user enters testing15uaik it will
be sent HTTP 200 Ok.
I'm using Debian Sarge, Apache 2.0.54 (from apt repository), and
latest security updates applied.
Regards.
[1] ^(.*)[0-9]{2}$
--
Cafer 'cfb' Şimşek
http://cafer.org
Reply to: