[BusyBox 0003694]: httpd accepts the empty username for a matching path and password
bugs at busybox.net
bugs at busybox.net
Wed Jun 11 19:03:39 UTC 2008
The following issue has been SUBMITTED.
======================================================================
http://busybox.net/bugs/view.php?id=3694
======================================================================
Reported By: lubek
Assigned To: BusyBox
======================================================================
Project: BusyBox
Issue ID: 3694
Category: Security
Reproducibility: always
Severity: major
Priority: normal
Status: assigned
======================================================================
Date Submitted: 06-11-2008 12:03 PDT
Last Modified: 06-11-2008 12:03 PDT
======================================================================
Summary: httpd accepts the empty username for a matching path
and password
Description:
When the request is missing the user field, httpd wrongly checks the
password for the first /path match when ENABLE_FEATURE_HTTPD_AUTH_MD5 and
enables the access for a wrong pair of credentials when the password
matches.
The bug exists in all busybox versions up to the trunk.
======================================================================
Issue History
Date Modified Username Field Change
======================================================================
06-11-08 12:03 lubek New Issue
06-11-08 12:03 lubek Status new => assigned
06-11-08 12:03 lubek Assigned To => BusyBox
======================================================================
More information about the busybox-cvs
mailing list