[prev in list] [next in list] [prev in thread] [next in thread] 

List:       apache-modperl
Subject:    bug in exploder blows up Digest security
From:       Steven Lembark <lembark () wrkhors ! com>
Date:       2001-03-29 23:22:29
[Download RAW message or body]


anyone know of a way around this?  i have a site that depends heavily on
anchors for delivering reports.  exploder chops off the uri at the
arguments, 
which is not what mod_auth_digest (nor RFC 2617) expect.  

anyone know of a way to force exploder to use the full uri for the
digest
authorization header?  rewrite doesn't seem likely to help since the
hash
was generated with the wrong value of the uri to begin with.

thanx.



GET
/tdrdw/Data?menuform=1&report=&lookup=&report=sar_min_esn&lookup=9999999999&all=0
HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg,
application/vnd.ms-powerpoint, application/vnd.ms-excel,
application/msword, application/pdf,
 */*
Accept-Encoding: gzip, deflate
Accept-Language: en-us
Authorization: Digest username="paul", realm="TDRDW", qop="auth",
algorithm="MD5", uri="/tdrdw/Data",
nonce="OsOuHA==3be36661a184a9851d9263409b407031c9fc8
928", nc=00000007, cnonce="456ac2f6e01485024bbb49b3652923dc",
response="3f9fe67dfe9188da6a358520d41e1dbe"
Connection: Keep-Alive
Host: alpha:8082
Referer: http://alpha:8082/tdrdw/Menu
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)

HTTP/1.1 (null)




[Thu Mar 29 15:54:58 2001] [error] [client 10.35.2.5] Digest: uri
mismatch - </tdrdw/Data> does not match request-uri
</tdrdw/Data?menuform=1&report=&lo


-- 
 Steven Lembark                                   2930 W. Palmer St.
                                                 Chicago, IL  60647
 lembark@wrkhors.com                                   800-762-1582

[prev in list] [next in list] [prev in thread] [next in thread]