IE 6 Security flaw

TheMSsForum.com: The Microsoft Software Forum

When using digest authentication the browser does not
seem to return the opaque string, is this deliberate, or
do you have to specify and different auth type.

example
GET /top.htm HTTP/1.1
Accept: */*
Accept-Language: en-gb
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
5.1)
Host: localhost:87
Connection: Keep-Alive
REQ : Authorization: Digest username="fred",
realm="Internal@server.test", qop="auth
", algorithm="MD5", uri="/top.htm",
nonce="3b14f0b2188d8c91e33ee7f2a84a1040", nc=0000003e,
cnonce="d4fcf375b60c595a53c752af40b08640",
response="ee58ca2a70377d87
37975fd379858f34"

see no opaque, this would allow replay attacks

see rfc 2617
HTTP/1.1 401 Unauthorized
WWW-Authenticate: Digest
realm="testrealm@host.com",
qop="auth,auth-int",

nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093",
opaque="5ccc069c403ebaf9f0171e9517f40e41"

Authorization: Digest username="Mufasa",
realm="testrealm@host.com",

nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093",
uri="/dir/index.html",
qop=auth,
nc=00000001,
cnonce="0a4f113b",

response="6629fae49393a05397450978507c4ef1",
opaque="5ccc069c403ebaf9f0171e9517f40e41"
Top

Re: IE 6 Security flaw by S

S
Thu May 20 06:40:56 CDT 2004

Send the information to secure@microsoft.com

--
Svyatoslav Pidgorny, MVP, MCSE
-= F1 is the key =-

"Len" <anonymous@discussions.microsoft.com> wrote in message
news:eccb01c43d3e$3d02b1f0$a401280a@phx.gbl...
> When using digest authentication the browser does not
> seem to return the opaque string, is this deliberate, or
> do you have to specify and different auth type.
>
> example
> GET /top.htm HTTP/1.1
> Accept: */*
> Accept-Language: en-gb
> Accept-Encoding: gzip, deflate
> User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
> 5.1)
> Host: localhost:87
> Connection: Keep-Alive
> REQ : Authorization: Digest username="fred",
> realm="Internal@server.test", qop="auth
> ", algorithm="MD5", uri="/top.htm",
> nonce="3b14f0b2188d8c91e33ee7f2a84a1040", nc=0000003e,
> cnonce="d4fcf375b60c595a53c752af40b08640",
> response="ee58ca2a70377d87
> 37975fd379858f34"
>
> see no opaque, this would allow replay attacks
>
> see rfc 2617
> HTTP/1.1 401 Unauthorized
> WWW-Authenticate: Digest
> realm="testrealm@host.com",
> qop="auth,auth-int",
>
> nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093",
> opaque="5ccc069c403ebaf9f0171e9517f40e41"
>
> Authorization: Digest username="Mufasa",
> realm="testrealm@host.com",
>
> nonce="dcd98b7102dd2f0e8b11d0f600bfb0c093",
> uri="/dir/index.html",
> qop=auth,
> nc=00000001,
> cnonce="0a4f113b",
>
> response="6629fae49393a05397450978507c4ef1",
> opaque="5ccc069c403ebaf9f0171e9517f40e41"
>
>
>


Top