[3065] in WWW Security List Archive
Re: Any known holes in .htaccess/.htpasswd directory security?
daemon@ATHENA.MIT.EDU (Steff Watkins)
Wed Sep 25 11:43:38 1996
From: Steff Watkins <Steff.Watkins@Bristol.ac.uk>
To: www-security@ns2.rutgers.edu
Date: Wed, 25 Sep 1996 14:31:14 +0100 (BST)
In-Reply-To: <Chameleon.960925092729.markd@markd.ed.atl.sita.int> from "markd@medusa.ed.atl.sita.int" at Sep 25, 96 09:16:42 am
Errors-To: owner-www-security@ns2.rutgers.edu
markd@medusa.ed.atl.sita.int wrote:
=>>The second is that 'htpasswd's are just uuencoded words (rather than DES
=>>encrypted like ordinary passwords)., so they are fairly easy to decrypt.
=>
=>One corrrection. .htaccess paswords are NOT uuencoded, but use standard DNS encryption. I'm not sure what led you to believe
=>this, but it is incorrect (unless the UK received a severely crippled versioin of whatever server you're using). I can
=>attest to this simply because I've writtien scripts to directly maniuplate the pasword file and used the exact same chunk of
=>encryption code I'd (using the standard encrypt function from the C library) written a while back to handle new UNIX account
=>creations.
Oh.. my apologies.....
miss-reading the webpage on user passwords at
http://hoohoo.ncsa.uiuc/docs/detup/user.html#Secure
gives:
"In Basic HTTP Authentication, the password is passed over the network not
encrypted but not as plain text -- it is "uuencoded." Anyone watching
packet traffic on the network will not see the password in the clear, but
the password will be easily decoded by anyone who happens to catch the
right network packet."
However, this still does NOT negate that fact that a user, intent on
entry, may be able to pull the htpasswd file and then use 'crack' on it
instead!!!
Steff
