www-validator Security Issue (Basic Auth) from Samuel Rinnetmäki on 2001-09-03 (www-validator@w3.org from September 2001)

From: Samuel Rinnetmäki <samuel.rinnetmaki@tothepoint.fi>
Date: Mon, 03 Sep 2001 14:08:54 +0300
To: www-validator@w3.org
Message-id: <fc.000f8d8600108994000f8d8600108994.108e07@tothepoint.fi>

W3C HTML Validation Service has a security issue regarding to HTTP Basic
Authentication.

I searched the archives of this mailing list for "+www-validator
+authentication" and found some disussion about HTTP Basic Authentication
not being secure, but I think the HTML Validation Service implements HTTP
Basic Authentication in a way that is even more insecure than the HTTP
Basic Authentication usually. 

THE PROBLEM:

If I use the Validator to validate a document on a server (A) which
requires authentication, Validator asks for the credentials. If I then try
and validate another document on another server (B), my browser sends the
same credentials to the Validator and the validator forwards them to the
server (B).  Thus the server B receives the authorization headers that
were required by a document on the server (A).  The authorization header
is sent even if the document on the server (B) doesn't require
authentication.

THE CAUSE:

In the script "check", see lines 1025 - 1027.  Of course, when my browser
has authenticated to the Validator's Realm, it sends the credentials each
time I try to validate any document. 

THE CURE:

What the "check" script should do is to keep track of the Realms which
require authorization, and send the credentials only to the server (and
directory) which originally required them - not to all servers.

This would, of course, need some work.  Quicker fix would be to change the
401 message given by the Validator -- "I don't log it or do anything else
nasty with it".  As it is, it gives the user a false sense of security
(IMHO).  It would also be nice to see another note on this compromizing of
security, since the frequent users of the HTML Validation Service rarely
see the 401 message.

SEE IT FOR YOURSELF:

If you want to see the security compromise in effect, install the attached
"auht_test.php" file on your webserver.  (PHP has to be installed on the
server and the PHP script should be able to write to the $logfile.  See
the source.  Also, the directory where the script is installed, should
*not* require authentication.)

After installation, validate any document which requires HTTP Basic
Authentication.  Then validate auht_test.php.  The username and password
you used to validate the other document are written in the $logfile.  If
you try to access the auht_test.php directly, no username and password are
logged since the browser only sends the credentials to the servers which
requested them in the first place.

Be sure to delete both the $logfile and the "auth_test.php" script after
testing since they are security risks as well.

Regards,

	Samuel
---
Samuel Rinnetmaki
Technical Project Manager
To the Point Oy
samuel.rinnetmaki@tothepoint.fi
+358 9 566 0816
+358 40 518 0062

Attachments

application/octet-stream attachment: auth_test.php

Received on Monday, 3 September 2001 07:17:07 UTC