[squid-users] Ldap Digest security problem ?

From: FredB <fredbmail_at_free.fr>
Date: Mon, 26 Mar 2012 11:17:59 +0200 (CEST)

Hi,

Maybe I misconfigured something but I found a very strange behaviour with Digest and squid 3.2.
The problem is When a user is connected with his good login/password and he close and reopen his navigator, he can change his
login by another ID with nonce valid (even without password !)

For example:

1) One user logged with foo -> nonce valid
2) One user logged with jdoe -> nonce valid
3) User one close/open his firefox and write jdoe without password (or bad password no matter)
4) User one become also jdoe in log, acl, dansguardian, etc

There is no link between nonce and login in squid ?

With tcpdump I can see my new "ID" in Firefox
Digest username="jdoe", realm="TEST", nonce="CzFwT1jv1AjDi6Uq"

Fred
Received on Mon Mar 26 2012 - 09:18:16 MDT

This archive was generated by hypermail 2.2.0 : Mon Mar 26 2012 - 12:00:03 MDT