[Please upgrade Apache mod_ssl -- Raju]
This is an RFC 1153 digest.
(1 message)
----------------------------------------------------------------------
Message-ID: <[EMAIL PROTECTED]>
From: Adam Laurie <[EMAIL PROTECTED]>
Sender: [EMAIL PROTECTED]
To: [EMAIL PROTECTED], [EMAIL PROTECTED],
[EMAIL PROTECTED], [EMAIL PROTECTED]
Subject: [Full-Disclosure] [apache-ssl] Apache-SSL security advisory -
apache_1.3.28+ssl_1.52 and prior
Date: Fri, 06 Feb 2004 12:05:24 +0000
Apache-SSL optional client certificate vulnerability
----------------------------------------------------
Synopsis
--------
If configured with SSLVerifyClient set to 1 or 3 (client certificates
optional) and SSLFakeBasicAuth, Apache-SSL 1.3.28+1.52 and all earlier
versions would permit a client to use real basic authentication to
forge a client certificate.
All the attacker needed is the "one-line DN" of a valid user, as used
by faked basic auth in Apache-SSL, and the fixed password ("password"
by default).
Fix
---
Install Apache-SSL 1.3.29+1.53 from the usual places (see
http://www.apache-ssl.org/).
Credits
-------
This vulnerability was found and reported by Wietse Venema.
cheers,
Adam
--
Adam Laurie Tel: +44 (20) 8742 0755
A.L. Digital Ltd. Fax: +44 (20) 8742 5995
The Stores http://www.thebunker.net
2 Bath Road http://www.aldigital.co.uk
London W4 1LT mailto:[EMAIL PROTECTED]
UNITED KINGDOM PGP key on keyservers
-----------------------------------------------------------------------------------
to unsubscribe, send a blank email to: [EMAIL PROTECTED]
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
------------------------------
End of this Digest
******************
--
Raj Mathur [EMAIL PROTECTED] http://kandalaya.org/
GPG: 78D4 FC67 367F 40E2 0DD5 0FEF C968 D0EF CC68 D17F
It is the mind that moves
_______________________________________________
ilugd mailing list
[EMAIL PROTECTED]
http://frodo.hserus.net/mailman/listinfo/ilugd
