TUCoPS :: Web :: Apache :: hack4217.htm

Apache-SSL security advisory - apache_1.3.28+ssl_1.52 and prior
Apache-SSL security advisory - apache_1.3.28+ssl_1.52 and prior

Apache-SSL optional client certificate vulnerability
----------------------------------------------------

Synopsis
--------

If configured with SSLVerifyClient set to 1 or 3 (client certificates
optional) and SSLFakeBasicAuth, Apache-SSL 1.3.28+1.52 and all earlier
versions would permit a client to use real basic authentication to
forge a client certificate.

All the attacker needed is the "one-line DN" of a valid user, as used
by faked basic auth in Apache-SSL, and the fixed password ("password"
by default).

Fix
---

Install Apache-SSL 1.3.29+1.53 from the usual places (see
http://www.apache-ssl.org/). 

Credits
-------

This vulnerability was found and reported by Wietse Venema.

cheers,
Adam
-- 
Adam Laurie                   Tel: +44 (20) 8742 0755
A.L. Digital Ltd.             Fax: +44 (20) 8742 5995
The Stores                    http://www.thebunker.net 
2 Bath Road                   http://www.aldigital.co.uk 
London W4 1LT                 mailto:adam@algroup.co.uk 
UNITED KINGDOM                PGP key on keyservers

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH