[Spambayes] How to reset proxy admin password?

[Tony Meyer]

> As a follow-up, I've managed to find bayescustomize.ini under 
> Application Data\SpamBayes\Proxy, and the password I'm using 
> is correct.  Here's the .ini file:
> 
> [html_ui]
> allow_remote_connections: *
> http_authentication: Digest
> http_password: (my password)
> http_user_name: (my user name)

It appears that Digest authentication is broken (at least it doesn't work
for me either).  I've checked in fixes for this, which will appear in 1.0.2
and 1.1, or if you run from source you could replace your copy of Dibbler.py
with the one from anon CVS.  (Without these fixes, I don't believe it can be
made to work).

I found three issues:

  1.  The regex that Dibbler.py was using was wrong, so it would never work.
I've fixed this.

  2.  IE 6.0 appears to give an invalid nc (nonce-count) response (it's
empty, when it should be 00000001, from what RFC 2617 says).  I've put in a
check to see if it is blank, and if it is, replace it with 00000001 - I
don't see how that could be exploited in any way.

  3.  Firefox 1.0 appears to give back an invalid nc response (as with IE),
*and* an invalid qop response (it's empty, when it should be 'auth', again
based on RFC 2617).  I'm treated this like nc, inserting the correct value
if necessary.  Since all we're really after is the md5 bit, I again don't
see how this could be exploited.

If anyone out there knows something about HTTP Digest Auth and can shed
light on #2 and #3 above, that would be great :)

=Tony.Meyer

-- 
Please always include the list (spambayes at python.org) in your replies
(reply-all), and please don't send me personal mail about SpamBayes.
http://www.massey.ac.nz/~tameyer/writing/reply_all.html explains this.