W3C home > Mailing lists > Public > www-talk@w3.org > May to June 2002

Re: authentication scope with persistant connections

From: Simon Fell <soap@zaks.demon.co.uk>
Date: Sat, 01 Jun 2002 23:07:10 -0700
To: Mark Nottingham <mnot@mnot.net>
Cc: www-talk@w3.org
Message-ID: <qddjfu895pnrnk4p72eqsu6abcikugh6k2@4ax.com>

I posted to bugtraq, and posted a simple re-pro at
http://www.pocketsoap.com/weblog/stories/2002/06/01/iisAuth.html

Cheers
Simon

On Sat, 1 Jun 2002 20:57:27 -0700, in soap you wrote:

>If I understand you correctly and this is indeed the case, it's a 
>gapingly wide security hole; an intermediary making a persistent 
>connection would "share" authentication between its clients.
>
>E.g., Alice connects to vulnerable.example.com through 
>proxy.example.net, authenticates, and goes about her business. If 
>proxy.example.net keeps a persistent connection open, Bob can come along 
>and assume her identity while the connection is still open.
>
>Ouch.
>
>Worse still, if vulnerable.example.com uses a so-called "reverse-
>proxy"/"surrogate"/gateway, such whether a local box or a distributed 
>CDN like Digital Island or Akamai, it will happen a lot more. As such, 
>I'm a bit surprised it hasn't been discovered sooner; I'd look into it 
>myself, but I don't have any Windows servers handy. I'd like to say that 
>this is too obvious a mistake for them to have made, but such wishful 
>thinking has been proven wrong in the past.
>
>This should be sent to bugtrak or similar for investigation ASAP.
>
>
>
>On Saturday, June 1, 2002, at 06:56  PM, Simon Fell wrote:
>
>> Hi Mark,
>>
>> On Sat, 1 Jun 2002 21:23:10 -0400, in soap you wrote:
>>
>>> Hi Simon,
>>>
>>> On Sat, Jun 01, 2002 at 03:45:12PM -0700, Simon Fell wrote:
>>>>
>>>> Hi,
>>>>
>>>> I'm trying to work out how authentication and persistent connections
>>>> interact. I initially thought that the authentication header will only
>>>> apply to the scope of that particular HTTP exchange, however I'm
>>>> seeing with IIS that subsequent requests on the same connection
>>>> continue to be treated as authenticated even if the following request
>>>> doesn't specify an authentication header.
>>>>
>>>> Can anyone clarify what the expected behavior should be ?
>>>
>>> If that's what's happening, IIS is broken.  The connection style
>>> doesn't impact the statelessness of the interaction.
>>>
>>> Are you sure that's what you're observing?
>>>
>>> MB
>>
>> I Just double checked everything and this I'm definitely seeing this.
>> I have IIS running on W2K Server with SP2, and have a page configured
>> for authenticated access only. I have a test HTTP/1.1 client that is
>> POSTing to this page. If i do 2 consecutive POSTs the first with an
>> Authorization header and the second without one, the second POST
>> succeeds, rather than getting the expected 401. If i swap the two
>> POSTs around, so that the first one doesn't have the Authorization
>> header, then i do get the expected 401. I've attached a capture of the
>> HTTP traffic [from Ethereal]
>>
>> Cheers
>> Simon
>>
Received on Sunday, 2 June 2002 02:06:46 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 27 October 2010 18:14:27 GMT