mod_digest_apple for Apache HTTP Server on Mac OS X Authentication Replay

2004-12-02T00:00:00
ID OSVDB:12176
Type osvdb
Reporter OSVDB
Modified 2004-12-02T00:00:00

Description

Vulnerability Description

Apache included with Mac OS X Server contains a flaw that may allow a malicious user to authenticate to the web server by replaying a successful valid login. The issue is triggered when mod_digest_apple fails to validate security tokens for the session. It is possible that the flaw may allow unauthorized access resulting in a loss of confidentiality and/or integrity.

Solution Description

Currently, there are no known workarounds or upgrades to correct this issue. However, Apple has released a patch to address this vulnerability.

Short Description

Apache included with Mac OS X Server contains a flaw that may allow a malicious user to authenticate to the web server by replaying a successful valid login. The issue is triggered when mod_digest_apple fails to validate security tokens for the session. It is possible that the flaw may allow unauthorized access resulting in a loss of confidentiality and/or integrity.

References:

Vendor Specific Advisory URL Vendor Specific Advisory URL Vendor Specific Advisory URL Vendor Specific Advisory URL Vendor Specific Advisory URL Security Tracker: 1012414 Secunia Advisory ID:13362 Secunia Advisory ID:17311 RedHat RHSA: RHSA-2005:816 RedHat RHSA: RHSA-2004:600 Other Advisory URL: http://www.mail-archive.com/dev@httpd.apache.org/msg19007.html CVE-2004-1082