Basic Auth. Password Matching

To: debian-apache@lists.debian.org
Subject: Basic Auth. Password Matching
From: cfb@cafer.org (Cafer Şimşek)
Date: Sat, 18 Mar 2006 23:36:21 +0200
Message-id: <[🔎] 87oe03ph9m.fsf@hebele.com>

Hi all,

I discovered a feature or bug about basic authentication mechanism.

If the password matches the following[1] regexp, and includes any
garbage characters at the end of its, server says OK.

For example:

our password is testing15, and the user enters testing15uaik it will
be sent HTTP 200 Ok.

I'm using Debian Sarge, Apache 2.0.54 (from apt repository), and
latest security updates applied.

Regards.

[1] ^(.*)[0-9]{2}$

-- 
Cafer 'cfb' Şimşek
http://cafer.org

Reply to:

Follow-Ups:
- Re: Basic Auth. Password Matching
  - From: cfb@cafer.org (Cafer Şimşek)

Prev by Date: Bug#357662: howto/cgi.html.en: add newline
Next by Date: Re: Basic Auth. Password Matching
Previous by thread: Bug#357662: howto/cgi.html.en: add newline
Next by thread: Re: Basic Auth. Password Matching
Index(es):
- Date
- Thread