=====================================================================
                                 CERT-Renater

                      Note d'Information No. 2004/VULN061
_____________________________________________________________________

DATE                      : 11/02/2004

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running Apache-SSL 1.3.28+1.52 earlier.
                            
======================================================================

Apache-SSL optional client certificate vulnerability
----------------------------------------------------

Synopsis
--------

If configured with SSLVerifyClient set to 1 or 3 (client certificates
optional) and SSLFakeBasicAuth, Apache-SSL 1.3.28+1.52 and all earlier
versions would permit a client to use real basic authentication to
forge a client certificate.

All the attacker needed is the "one-line DN" of a valid user, as used
by faked basic auth in Apache-SSL, and the fixed password ("password"
by default).

Fix
---

Install Apache-SSL 1.3.29+1.53 from the usual places (see
http://www.apache-ssl.org/).

Credits
-------

This vulnerability was found and reported by Wietse Venema.


======================================================================

        =========================================================
        Les serveurs de référence du CERT-Renater
        http://www.urec.fr/securite
        http://www.cru.fr/securite
        http://www.renater.fr 
	=========================================================
	+ CERT-RENATER		| tel : 01-53-94-20-44		+
	+ 151 bd de l'Hopital	| fax : 01-53-94-20-41		+
	+ 75013 Paris		| email: certsvp@renater.fr	+
	=========================================================