Opened 8 years ago

Closed 8 years ago

#119 closed defect (invalid)

http auth accepts any password with correct prefix

Reported by: Martin Loehnertz Owned by: somebody
Priority: minor Milestone:
Component: nginx-module Version: 1.0.x
Keywords: Cc:
uname -a: Linux xxxx 2.6.32-6-pve #1 SMP Fri Nov 4 06:54:05 CET 2011 i686 GNU/Linux
nginx -V: nginx version: nginx/1.0.12
built by gcc 4.4.5 (Debian 4.4.5-8)
TLS SNI support enabled
configure arguments: --without-http_fastcgi_module --without-http_geo_module --without-http_memcached_module --without-http_scgi_module --without-http_uwsgi_module --with-http_ssl_module --with-ipv6 --user=www-data --group=www-data --without-http_limit_zone_module --without-http_referer_module --without-http_split_clients_module --without-http_ssi_module

Description

Http auth accepts any additional suffix to the correct password.
So if the password is "password" then "passwordfoobar" is accepted too.

Change History (1)

comment:1 by Maxim Dounin, 8 years ago

Resolution: invalid
Status: newclosed

The 8 chars is password length limit is in traditional DES crypt(3) scheme, nginx has nothing to do with it. You are free to use any crypt(3) scheme as supported by your OS, as well as Apache's md5 variant ($apr1$) and {SSHA} as supported in nginx 1.0.3+. Anything except traditional DES scheme shouldn't have this limit.

Note: See TracTickets for help on using tickets.