Re: authentication scope with persistant connections from Mark Nottingham on 2002-06-02 (www-talk@w3.org from May to June 2002)

From: Mark Nottingham <mnot@mnot.net>
Date: Sat, 1 Jun 2002 20:57:27 -0700
To: Simon Fell <soap@zaks.demon.co.uk>
Cc: Mark Baker <distobj@acm.org>, www-talk@w3.org
Message-Id: <DA974947-75DC-11D6-A85C-000A27836A68@mnot.net>

If I understand you correctly and this is indeed the case, it's a 
gapingly wide security hole; an intermediary making a persistent 
connection would "share" authentication between its clients.

E.g., Alice connects to vulnerable.example.com through 
proxy.example.net, authenticates, and goes about her business. If 
proxy.example.net keeps a persistent connection open, Bob can come along 
and assume her identity while the connection is still open.

Ouch.

Worse still, if vulnerable.example.com uses a so-called "reverse-
proxy"/"surrogate"/gateway, such whether a local box or a distributed 
CDN like Digital Island or Akamai, it will happen a lot more. As such, 
I'm a bit surprised it hasn't been discovered sooner; I'd look into it 
myself, but I don't have any Windows servers handy. I'd like to say that 
this is too obvious a mistake for them to have made, but such wishful 
thinking has been proven wrong in the past.

This should be sent to bugtrak or similar for investigation ASAP.

On Saturday, June 1, 2002, at 06:56  PM, Simon Fell wrote:

> Hi Mark,
>
> On Sat, 1 Jun 2002 21:23:10 -0400, in soap you wrote:
>
>> Hi Simon,
>>
>> On Sat, Jun 01, 2002 at 03:45:12PM -0700, Simon Fell wrote:
>>>
>>> Hi,
>>>
>>> I'm trying to work out how authentication and persistent connections
>>> interact. I initially thought that the authentication header will only
>>> apply to the scope of that particular HTTP exchange, however I'm
>>> seeing with IIS that subsequent requests on the same connection
>>> continue to be treated as authenticated even if the following request
>>> doesn't specify an authentication header.
>>>
>>> Can anyone clarify what the expected behavior should be ?
>>
>> If that's what's happening, IIS is broken.  The connection style
>> doesn't impact the statelessness of the interaction.
>>
>> Are you sure that's what you're observing?
>>
>> MB
>
> I Just double checked everything and this I'm definitely seeing this.
> I have IIS running on W2K Server with SP2, and have a page configured
> for authenticated access only. I have a test HTTP/1.1 client that is
> POSTing to this page. If i do 2 consecutive POSTs the first with an
> Authorization header and the second without one, the second POST
> succeeds, rather than getting the expected 401. If i swap the two
> POSTs around, so that the first one doesn't have the Authorization
> header, then i do get the expected 401. I've attached a capture of the
> HTTP traffic [from Ethereal]
>
> Cheers
> Simon
>
--
Mark Nottingham
http://www.mnot.net/

Received on Saturday, 1 June 2002 23:58:21 UTC