[3060] in WWW Security List Archive
Re: Any known holes in .htaccess/.htpasswd directory security?
daemon@ATHENA.MIT.EDU (Steff Watkins)
Wed Sep 25 05:31:34 1996
From: Steff Watkins <Steff.Watkins@Bristol.ac.uk>
To: www-security@ns2.rutgers.edu
Date: Wed, 25 Sep 1996 07:42:10 +0100 (BST)
In-Reply-To: <c=US%a=_%p=Attachmate%l=EXCH-BEL3-960924161320Z-2865@exch-bel1.attachmate.com> from "John Allen" at Sep 24, 96 09:13:20 am
Errors-To: owner-www-security@ns2.rutgers.edu
John Allen wrote:
=>As the subject says, are there any known holes in the
=>.htaccess/.htpasswd directory security setup? Can't think of any, but my
=>ISP won't implement it 'cause they're afraid of potential security
=>holes. Thanks!
Hello John,
there are two 'sorta obvious' ones.
The first is that it is possible for a remote user with browser to pull
the '.htpasswd/.htaccess' file IF they have site based access to the
locating directory.
The second is that 'htpasswd's are just uuencoded words (rather than DES
encrypted like ordinary passwords)., so they are fairly easy to decrypt.
The obvious way around this is to name you .htpasswd/.htaccess something
different.
From the notes, webpages and emails I have read though, I get the
impression that it is about as secure as a standard telnet session.
Steff
: Steff Watkins, General Computer-type being
: University of Bristol, Clifton, Bristol, AVON, BS8 1TH, UK
:
: RFC-822 : Steff.Watkins@bris.ac.uk
: X-400 : /G=Steff/S=Watkins/O=Bristol/PRMD=UK.AC/ADMD= /C=GB/
: Phone: +44 177 287869 (external) 3046 / 7869 (internal)
