www-validator Security Issue (Basic Auth)

From: Samuel Rinnetmäki (samuel.rinnetmaki@tothepoint.fi)
Date: Mon, Sep 03 2001

  • Next message: Nick Kew: "Re: www-validator Security Issue (Basic Auth)"

    Message-id: <fc.000f8d8600108994000f8d8600108994.108e07@tothepoint.fi>
    Date: Mon, 03 Sep 2001 14:08:54 +0300
    To: www-validator@w3.org
    From: samuel.rinnetmaki@tothepoint.fi (Samuel Rinnetmäki)
    Subject: www-validator Security Issue (Basic Auth)
    
    
    
    W3C HTML Validation Service has a security issue regarding to HTTP Basic
    Authentication.
    
    I searched the archives of this mailing list for "+www-validator
    +authentication" and found some disussion about HTTP Basic Authentication
    not being secure, but I think the HTML Validation Service implements HTTP
    Basic Authentication in a way that is even more insecure than the HTTP
    Basic Authentication usually. 
    
    THE PROBLEM:
    
    If I use the Validator to validate a document on a server (A) which
    requires authentication, Validator asks for the credentials. If I then try
    and validate another document on another server (B), my browser sends the
    same credentials to the Validator and the validator forwards them to the
    server (B).  Thus the server B receives the authorization headers that
    were required by a document on the server (A).  The authorization header
    is sent even if the document on the server (B) doesn't require
    authentication.
    
    THE CAUSE:
    
    In the script "check", see lines 1025 - 1027.  Of course, when my browser
    has authenticated to the Validator's Realm, it sends the credentials each
    time I try to validate any document. 
    
    THE CURE:
    
    What the "check" script should do is to keep track of the Realms which
    require authorization, and send the credentials only to the server (and
    directory) which originally required them - not to all servers.
    
    This would, of course, need some work.  Quicker fix would be to change the
    401 message given by the Validator -- "I don't log it or do anything else
    nasty with it".  As it is, it gives the user a false sense of security
    (IMHO).  It would also be nice to see another note on this compromizing of
    security, since the frequent users of the HTML Validation Service rarely
    see the 401 message.
    
    SEE IT FOR YOURSELF:
    
    If you want to see the security compromise in effect, install the attached
    "auht_test.php" file on your webserver.  (PHP has to be installed on the
    server and the PHP script should be able to write to the $logfile.  See
    the source.  Also, the directory where the script is installed, should
    *not* require authentication.)
    
    After installation, validate any document which requires HTTP Basic
    Authentication.  Then validate auht_test.php.  The username and password
    you used to validate the other document are written in the $logfile.  If
    you try to access the auht_test.php directly, no username and password are
    logged since the browser only sends the credentials to the servers which
    requested them in the first place.
    
    Be sure to delete both the $logfile and the "auth_test.php" script after
    testing since they are security risks as well.
    
    Regards,
    
    	Samuel
    ---
    Samuel Rinnetmaki
    Technical Project Manager
    To the Point Oy
    samuel.rinnetmaki@tothepoint.fi
    +358 9 566 0816
    +358 40 518 0062