Re: Basic Auth. Password Matching

To: debian-apache@lists.debian.org
Subject: Re: Basic Auth. Password Matching
From: cfb@cafer.org (Cafer Şimşek)
Date: Sun, 19 Mar 2006 01:30:20 +0200
Message-id: <[🔎] 87hd5vcovn.fsf@hebele.com>
In-reply-to: <[🔎] 87oe03ph9m.fsf@hebele.com> (Cafer Şimşek's message of "Sat, 18 Mar 2006 23:36:21 +0200")
References: <[🔎] 87oe03ph9m.fsf@hebele.com>

cfb@cafer.org (Cafer Şimşek) writes:

> Hi all,
>
> I discovered a feature or bug about basic authentication mechanism.
>
> If the password matches the following[1] regexp, and includes any
> garbage characters at the end of its, server says OK.
>
> For example:
>
> our password is testing15, and the user enters testing15uaik it will
> be sent HTTP 200 Ok.
>
> I'm using Debian Sarge, Apache 2.0.54 (from apt repository), and
> latest security updates applied.
>
> Regards.
>
> [1] ^(.*)[0-9]{2}$

Ok, that was my mistake. Default it's using CRYPT (first 8
character). When using MD5 or SHA the, there is no issue.

sorry.

>
> -- 
> Cafer 'cfb' Şimşek
> http://cafer.org
>

-- 
Cafer 'cfb' Şimşek
http://cafer.org

Reply to:

References:
- Basic Auth. Password Matching
  - From: cfb@cafer.org (Cafer Şimşek)

Prev by Date: Basic Auth. Password Matching
Next by Date: Bug#298689: What do you gain?
Previous by thread: Basic Auth. Password Matching
Next by thread: Bug#298689: What do you gain?
Index(es):
- Date
- Thread