Log in

Bekijk de volledige versie : SECURITY flaw in busybox_httpd authenitication !!!


gundal
28-01-2005, 16:15
People,

Just now I discovered a security flaw in username/password authentication of busybox_httpd :eek:. This flaw makes you think you secured some of your pages with username/password, but in fact they are NOT secure and very easy to compromise.

I would like to ask the developer of BusyBox (was it Oleg?) to drop me a message, or contact me by email to talk about this flaw and how to handle.

Used firmware: 1.9.2.7 (CR3b).
Used storage: 6GB USB-HDD (Fat32 formatted)
int
28-01-2005, 16:41
This are a system open source.

you may tell the flaw here!
Oleg
28-01-2005, 16:46
I would like to ask the developer of BusyBox (was it Oleg?) to drop me a message, or contact me by email to talk about this flaw and how to handle.

www.busybox.net

Anyway, this could be a cache problem of your browser, not the real flow. You could send this info to me via PM, I will review it then.
gundal
28-01-2005, 19:46
Oleg,

This is not a cache problem. It has to do with case handling of busybox httpd i suppose. I'll try to explain it.

When you host a site http://<URL>/ and you want to protect all pages below /admin/ with username and password, you have to insert a line in httpd.conf like:
/admin:user:password
Busybox httpd requires authentication when someone wants to enter the page with http://<URL>/admin/index.html.
It does not require authentication when someone tries to enter with http://<URL>/Admin/index.html. It grants immediate access!

Maybe this is only the case when the web pages are stored on a FAT32 volume.
Oleg
28-01-2005, 19:55
Exactly. FAT32 is case insensitive, so from the point of view of httpd these names are different.
gundal
28-01-2005, 20:04
In this case the authentication feature of httpd is not very useful in combination with a FAT32 volume. Httpd accepts URL's in an incase-sensitive manner, while httpd.conf only works case-sensitive. This not managable. :(

Possible workaround is using very short (one letter) paths and inserting both combinations in httpd.conf.
Oleg
28-01-2005, 20:22
In fact httpd is case sensitive, but vfat is not. So, httpd thinks admin & Admin are different names, while vfat returns the same directory.
Use numbers. :)
gundal
28-01-2005, 20:44
Numbers! Good idea! :rolleyes:
Thanx.