If configured with SSLVerifyClient set to 1 or 3 and SSLFakeBasicAuth, Apache-SSL 1.3.28+1.52 and all earlier versions would permit a client to use real basic authentication to forge a client certificate.
451c67a07615fb41c04236b83880095a572fd4760c9b81fc36692baed757e5a0Apache-SSL optional client certificate vulnerability
----------------------------------------------------
Synopsis
--------
If configured with SSLVerifyClient set to 1 or 3 (client certificates
optional) and SSLFakeBasicAuth, Apache-SSL 1.3.28+1.52 and all earlier
versions would permit a client to use real basic authentication to
forge a client certificate.
All the attacker needed is the "one-line DN" of a valid user, as used
by faked basic auth in Apache-SSL, and the fixed password ("password"
by default).
Fix
---
Install Apache-SSL 1.3.29+1.53 from the usual places (see
http://www.apache-ssl.org/).
Credits
-------
This vulnerability was found and reported by Wietse Venema.
cheers,
Adam
--
Adam Laurie Tel: +44 (20) 8742 0755
A.L. Digital Ltd. Fax: +44 (20) 8742 5995
The Stores http://www.thebunker.net
2 Bath Road http://www.aldigital.co.uk
London W4 1LT mailto:adam@algroup.co.uk
UNITED KINGDOM PGP key on keyservers
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed