SYSTEM WARNING: 'date_default_timezone_get(): It is not safe to rely on the system's timezone settings. You are *required* to use the date.timezone setting or the date_default_timezone_set() function. In case you used any of those methods and you are still getting this warning, you most likely misspelled the timezone identifier. We selected the timezone 'UTC' for now, but please set date.timezone to select your timezone.' in '/usr/share/mantis/www/core.php' line 264
MantisBT - Endian Firewall
|View Issue Details|
|ID||Project||Category||View Status||Date Submitted||Last Update|
|0001946||Endian Firewall||Security||public||2009-06-15 15:34||2010-09-20 17:58|
|Target Version||Fixed in Version|
|Summary||0001946: apache/squid accept password in plain text|
|Description||HTTP Basic Authentication sends user and password in plain text, there is a "new" standard which use the challenge method to grant encrypted username and password: HTTP Digest Authentication.|
Apache, and especially squid, should use this method to avoid sniffing credentials over the trusted local network.
Endian uses basic authentication in:
- Squid proxy authentication
Actually is possible that a bad user sniffs over the green network and steals proxy credentials.
- Admin interface*
- Hotspot administrative interface*
*The above section are not really in danger because all the traffic between client and firewall is over SSL (so encrypted on a higher layer).
However would be great, in order to increase security (and block man in the middle of ssl),to convert those basic to digest authentication.
(I experienced, some years ago with the 1.3 version, some problems while configuring this kind of authentication)
|Steps To Reproduce|
|Tags||No tags attached.|
|2009-06-15 15:34||luca-endian||New Issue|
|2009-06-15 15:36||luca-endian||Description Updated|
|2009-06-15 16:12||mike-f||Note Added: 0002630|
|2009-06-15 23:31||luca-endian||Note Added: 0002631|
|2009-06-16 11:12||mike-f||Note Added: 0002633|
|2010-09-20 17:58||peter-endian||Severity||minor => feature|