[3063] in WWW Security List Archive
Re: Any known holes in .htaccess/.htpasswd directory security?
daemon@ATHENA.MIT.EDU (markd@medusa.ed.atl.sita.int)
Wed Sep 25 11:32:36 1996
From: markd@medusa.ed.atl.sita.int
Date: Wed, 25 Sep 96 09:16:42 PDT
To: www-security@ns2.rutgers.edu, Steff Watkins <Steff.Watkins@Bristol.ac.uk>
Errors-To: owner-www-security@ns2.rutgers.edu
--- On Wed, 25 Sep 1996 07:42:10 +0100 (BST) Steff Watkins <Steff.Watkins@Bristol.ac.uk> wrote:
>The second is that 'htpasswd's are just uuencoded words (rather than DES
>encrypted like ordinary passwords)., so they are fairly easy to decrypt.
One corrrection. .htaccess paswords are NOT uuencoded, but use standard DNS encryption. I'm not sure what led you to believe
this, but it is incorrect (unless the UK received a severely crippled versioin of whatever server you're using). I can
attest to this simply because I've writtien scripts to directly maniuplate the pasword file and used the exact same chunk of
encryption code I'd (using the standard encrypt function from the C library) written a while back to handle new UNIX account
creations.
-----------------End of Original Message-----------------
--------------------
Mark Davis
Security Coordinator/Systems Administrator
SITA Web Project
SITA Global Telecommunications
http://www.sita.int/
--------------------
