| Anonymous | Login | Signup for a new account | 11-10-2008 12:19 PST |
| Main | My View | View Issues | Change Log | Docs |
| Viewing Issue Simple Details [ Jump to Notes ] | [ View Advanced ] [ Issue History ] [ Print ] | ||||||||
| ID | Category | Severity | Reproducibility | Date Submitted | Last Update | ||||
| 0003694 | [BusyBox] Security | major | always | 06-11-08 12:03 | 06-14-08 04:34 | ||||
| Reporter | lubek | View Status | public | ||||||
| Assigned To | BusyBox | ||||||||
| Priority | normal | Resolution | fixed | ||||||
| Status | closed | Product Version | |||||||
| Summary | 0003694: httpd accepts the empty username for a matching path and password | ||||||||
| Description |
When the request is missing the user field, httpd wrongly checks the password for the first /path match when ENABLE_FEATURE_HTTPD_AUTH_MD5 and enables the access for a wrong pair of credentials when the password matches. The bug exists in all busybox versions up to the trunk. |
||||||||
| Additional Information |
When a request=":password" ... u = strchr(request, ':'); ... if (strncmp(p, request, u - request) != 0) { /* user doesn't match */ ... The strncmp function returns always zero for a zero length parameter and httpd continues in checking a password for a zero length username and a matching /path. |
||||||||
| Attached Files |
 httpd_username.patch [^] (449 bytes) 06-12-08 03:37 |
||||||||
|
|
|||||||||
 Relationships |
|
|
Notes |
|
|
(0008234) vda 06-14-08 04:34 |
Fixed in svn, patch by Peter Korsgaard <jacmet@uclibc.org> |
|
Issue History |
|||
| Date Modified | Username | Field | Change |
| 06-11-08 12:03 | lubek | New Issue | |
| 06-11-08 12:03 | lubek | Status | new => assigned |
| 06-11-08 12:03 | lubek | Assigned To | => BusyBox |
| 06-12-08 03:37 | lubek | File Added: httpd_username.patch | |
| 06-14-08 04:34 | vda | Status | assigned => closed |
| 06-14-08 04:34 | vda | Note Added: 0008234 | |
| 06-14-08 04:34 | vda | Resolution | open => fixed |
| Copyright © 2000 - 2006 Mantis Group |  |
