[BusyBox 0003694]: httpd accepts the empty username for a matching path and password
bugs at busybox.net
bugs at busybox.net
Sat Jun 14 11:34:45 UTC 2008
The following issue has been CLOSED
======================================================================
http://busybox.net/bugs/view.php?id=3694
======================================================================
Reported By: lubek
Assigned To: BusyBox
======================================================================
Project: BusyBox
Issue ID: 3694
Category: Security
Reproducibility: always
Severity: major
Priority: normal
Status: closed
Resolution: open
Fixed in Version:
======================================================================
Date Submitted: 06-11-2008 12:03 PDT
Last Modified: 06-14-2008 04:34 PDT
======================================================================
Summary: httpd accepts the empty username for a matching path
and password
Description:
When the request is missing the user field, httpd wrongly checks the
password for the first /path match when ENABLE_FEATURE_HTTPD_AUTH_MD5 and
enables the access for a wrong pair of credentials when the password
matches.
The bug exists in all busybox versions up to the trunk.
======================================================================
----------------------------------------------------------------------
vda - 06-14-08 04:34
----------------------------------------------------------------------
Fixed in svn, patch by Peter Korsgaard <jacmet at uclibc.org>
Issue History
Date Modified Username Field Change
======================================================================
06-11-08 12:03 lubek New Issue
06-11-08 12:03 lubek Status new => assigned
06-11-08 12:03 lubek Assigned To => BusyBox
06-12-08 03:37 lubek File Added: httpd_username.patch
06-14-08 04:34 vda Status assigned => closed
06-14-08 04:34 vda Note Added: 0008234
======================================================================
More information about the busybox-cvs
mailing list