SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Application (Web Server/CGI)  >  Apache mod_digest Vendors:  Apache Software Foundation
Apache mod_digest May Validate Replayed Client Responses
SecurityTracker Alert ID:  1008920
SecurityTracker URL:  http://securitytracker.com/id?1008920
CVE Reference:  CAN-2003-0987   (Links to External Site)
Updated:  Apr 13 2004
Original Entry Date:  Feb 3 2004
Impact:  User access via network
Fix Available:  Yes   Vendor Confirmed:  Yes  
Version(s): 1.3.29 and prior versions
Description:  A vulnerability was reported in Apache mod_digest. The software may not correctly validate a client response, allowing a remote user to replay a response to gain access to an ostensibly protected system.

It is reported that mod_digest does not properly verify the nonce of a client response. A remote user may be able to replay a response to be authenticated in certain cases.

The report indicates that a remote user can capture the response from another section of the target web site (or another web site entirely). If the target user's username+password combination is the same and the realm is the same, the remote user can reportedly replay the digest response to be successfully authenticated.

Dirk-Willem van Gulik reported this flaw.
Impact:  A remote user may be able to be authenticated in certain cases.
Solution:  The vendor has released a fixed development version (1.3.31-dev).
Vendor URL:  www.mail-archive.com/dev@httpd.apache.org/msg19007.html (Links to External Site)
Cause:  Authentication error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
May 13 2004 (Slackware Issues Fix) Apache mod_digest May Validate Replayed Client Responses   (Slackware Security Team <security@slackware.com>)
Slackware has released a fix.
May 18 2004 (Mandrake Issues Fix) Apache mod_digest May Validate Replayed Client Responses   (Mandrake Linux Security Team <security@linux-mandrake.com>)
Mandrake has released a fix.
May 20 2004 (Mandrake Issues Fix for mod_perl) Apache mod_digest May Validate Replayed Client Responses   (Mandrake Linux Security Team <security@linux-mandrake.com>)
Mandrake has issued a fix for mod_perl.
May 26 2004 (Gentoo Issues Fix) Apache mod_digest May Validate Replayed Client Responses   (Kurt Lieber <klieber@gentoo.org>)
Gentoo has released a fix.
Sep 1 2004 (SCO Issues Fix) Apache mod_digest May Validate Replayed Client Responses   (please_reply_to_security@sco.com)
SCO has issued a fix for OpenServer 5.0.6 and 5.0.7.
Sep 10 2004 (Sun Issues Fix) Apache mod_digest May Validate Replayed Client Responses
Sun has issued a fix for Solaris 9.
Dec 2 2004 (Apple Issues Fix for OS X) Apache mod_digest May Validate Replayed Client Responses
Apple has issued a fix for Apache on Mac OS X.


 Source Message Contents
Date:  Tue, 03 Feb 2004 04:13:25 -0500
Subject:  http://www.mail-archive.com/dev@httpd.apache.org/msg19007.html

 

http://www.mail-archive.com/dev@httpd.apache.org/msg19007.html

CVE:  CAN-2003-0987


RCS file: /home/cvs/apache-1.3/src/CHANGES,v
retrieving revision 1.1914
diff -u -r1.1914 CHANGES
--- src/CHANGES 14 Dec 2003 18:16:49 -0000      1.1914
+++ src/CHANGES 18 Dec 2003 21:25:56 -0000
@@ -1,5 +1,11 @@
  Changes with Apache 1.3.30

+  *) SECURITY - verification as to wether the nonce returned in the
+     client response is one we issued ourselves by means of a
+     AuthNonce secret exposed as an md5(). See mod_digest documentation
+     for more details. The experimental/mod_auth_digest.c does not
+     have this issue.  [Dirk-Willem van Gulik]


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2004, SecurityGlobal.net LLC