mod_nss FakeBasicAuth authentication bypass

2013.11.15

Credit: Tomas Hoger

Risk: Medium

Local: No

Remote: Yes

CVE: N/A

CWE: N/A

Hi!

A FakeBasicAuth authentication bypass issue was reported for mod_nss
some time ago:

https://www.redhat.com/archives/mod_nss-list/2011-May/msg00001.html

The issue was fixed in upstream git:

https://git.fedorahosted.org/cgit/mod_nss.git/commit/?id=a6c3370491ae1d3bc552e8de9353c82f73e510e3

but there was no new release of mod_nss since to include the fix.

The issue now got CVE-2011-4973 assigned.

Note that the fix changes the user name that needs to be specified in
htpasswd when using FakeBasicAuth.

-- 
Tomas Hoger / Red Hat Security Response Team

References:

https://git.fedorahosted.org/cgit/mod_nss.git/commit/?id=a6c3370491ae1d3bc552e8de9353c82f73e510e3

https://www.redhat.com/archives/mod_nss-list/2011-May/msg00001.html

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

mod_nss FakeBasicAuth authentication bypass

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.