- From: Simon Fell <soap@zaks.demon.co.uk>
- Date: Sat, 01 Jun 2002 23:07:10 -0700
- To: Mark Nottingham <mnot@mnot.net>
- Cc: www-talk@w3.org
I posted to bugtraq, and posted a simple re-pro at http://www.pocketsoap.com/weblog/stories/2002/06/01/iisAuth.html Cheers Simon On Sat, 1 Jun 2002 20:57:27 -0700, in soap you wrote: >If I understand you correctly and this is indeed the case, it's a >gapingly wide security hole; an intermediary making a persistent >connection would "share" authentication between its clients. > >E.g., Alice connects to vulnerable.example.com through >proxy.example.net, authenticates, and goes about her business. If >proxy.example.net keeps a persistent connection open, Bob can come along >and assume her identity while the connection is still open. > >Ouch. > >Worse still, if vulnerable.example.com uses a so-called "reverse- >proxy"/"surrogate"/gateway, such whether a local box or a distributed >CDN like Digital Island or Akamai, it will happen a lot more. As such, >I'm a bit surprised it hasn't been discovered sooner; I'd look into it >myself, but I don't have any Windows servers handy. I'd like to say that >this is too obvious a mistake for them to have made, but such wishful >thinking has been proven wrong in the past. > >This should be sent to bugtrak or similar for investigation ASAP. > > > >On Saturday, June 1, 2002, at 06:56 PM, Simon Fell wrote: > >> Hi Mark, >> >> On Sat, 1 Jun 2002 21:23:10 -0400, in soap you wrote: >> >>> Hi Simon, >>> >>> On Sat, Jun 01, 2002 at 03:45:12PM -0700, Simon Fell wrote: >>>> >>>> Hi, >>>> >>>> I'm trying to work out how authentication and persistent connections >>>> interact. I initially thought that the authentication header will only >>>> apply to the scope of that particular HTTP exchange, however I'm >>>> seeing with IIS that subsequent requests on the same connection >>>> continue to be treated as authenticated even if the following request >>>> doesn't specify an authentication header. >>>> >>>> Can anyone clarify what the expected behavior should be ? >>> >>> If that's what's happening, IIS is broken. The connection style >>> doesn't impact the statelessness of the interaction. >>> >>> Are you sure that's what you're observing? >>> >>> MB >> >> I Just double checked everything and this I'm definitely seeing this. >> I have IIS running on W2K Server with SP2, and have a page configured >> for authenticated access only. I have a test HTTP/1.1 client that is >> POSTing to this page. If i do 2 consecutive POSTs the first with an >> Authorization header and the second without one, the second POST >> succeeds, rather than getting the expected 401. If i swap the two >> POSTs around, so that the first one doesn't have the Authorization >> header, then i do get the expected 401. I've attached a capture of the >> HTTP traffic [from Ethereal] >> >> Cheers >> Simon >>
Received on Sunday, 2 June 2002 02:06:46 UTC