[3067] in WWW Security List Archive
Re: Any known holes in .htaccess/.htpasswd directory security?
daemon@ATHENA.MIT.EDU (Scotty Logan)
Wed Sep 25 13:02:33 1996
Date: Wed, 25 Sep 1996 15:31:10 +0100
From: Scotty Logan <scotty@zinc.oucs.ox.ac.uk>
To: www-security@ns2.rutgers.edu
In-Reply-To: Steff Watkins's message of Wed, 25 Sep 1996 07:42:10 +0100 (BST)
Reply-To: scotty.logan@oucs.ox.ac.uk
Errors-To: owner-www-security@ns2.rutgers.edu
Steff Watkins wrote:
> John Allen wrote:
> =>As the subject says, are there any known holes in the
> =>.htaccess/.htpasswd directory security setup? Can't think of any,
> =>but my ISP won't implement it 'cause they're afraid of potential
> =>security holes. Thanks!
...
> there are two 'sorta obvious' ones.
>
> The first is that it is possible for a remote user with browser to
> pull the '.htpasswd/.htaccess' file IF they have site based access
> to the locating directory.
Provided that you and the WWW server have access to more of a
filespace than just your web pages you can place the .htpasswd file
outside your public_html directory. If you and the server only have
access to your web pages (i.e. public_html directory) you can put the
.htpasswd file in a subdirectory with its own .htaccess file: e.g.
~/public_html/foo/.htaccess contains:
AuthGroupFile /dev/null
AuthUserFile /home/user/public_html/foo/.passwd/.htpasswd
AuthName Secret Pages
AuthType Basic
<Limit GET POST>
require valid-user
</Limit>
~/public_html/foo/.passwd/.htpasswd contains the username:password
pairs and ~/public_html/foo/.passwd/.htaccess contains:
<Limit GET>
order deny,allow
deny from all
</Limit>
> The second is that 'htpasswd's are just uuencoded words (rather than
> DES encrypted like ordinary passwords)., so they are fairly easy to
> decrypt.
I think you'll find that, at least for Apache, 'htpasswd's are
encrypted just like real Unix passwords using the crypt() function.
While much better than uuencoding they are still vulnerable to
programs like crack.
> The obvious way around this is to name you .htpasswd/.htaccess
> something different.
Security through obscurity is never a good policy.
Scotty
--
Scotty Logan, Unix Systems Programmer, mailto:scotty.logan@oucs.ox.ac.uk
Oxford University Computing Services, 13 Banbury Road, Oxford UK OX2 6NN
Tel:(01865) 283288 FAX:(01865) 273275
``I met a DJ who lived in seclusion,
Reality and sobriety were her only delusions''
The Presidents of The United States of America
