[darkhttpd] timing attack and local leak of HTTP basic auth credentials
We discussed this vulnerability during Episode 237 on 28 January 2024
A timing side-channel vulnerability in darkhttp’s implementation for HTTP-based authentication. Since the auth check is done by a strcmp()
call which iterates and compares each character of the string, by observing the amount of time taken in the auth check, each character can be side-channeled to bruteforce the HTTP password. The vulnerability was fixed by using a constant-time string comparison algorithm.