[3068] in WWW Security List Archive
Re: Any known holes in .htaccess/.htpasswd directory security?
daemon@ATHENA.MIT.EDU (John Allen)
Wed Sep 25 13:14:07 1996
From: John Allen <JOHNAL@attachmate.com>
To: "'www-security mail list'" <www-security@ns2.rutgers.edu>
Date: Wed, 25 Sep 1996 07:52:26 -0700
Errors-To: owner-www-security@ns2.rutgers.edu
<Steff.Watkins@Bristol.ac.uk> on Tuesday, September 24 wrote:
>John Allen wrote:
>=>As the subject says, are there any known holes in the
>=>.htaccess/.htpasswd directory security setup? Can't think of any,
>but my
>=>ISP won't implement it 'cause they're afraid of potential security
>=>holes. Thanks!
>
>Hello John,
>
> there are two 'sorta obvious' ones.
>
>The first is that it is possible for a remote user with browser to
>pull
>the '.htpasswd/.htaccess' file IF they have site based access to the
>locating directory.
>
>The second is that 'htpasswd's are just uuencoded words (rather than
>DES
>encrypted like ordinary passwords)., so they are fairly easy to decrypt.
>
Eh? I created my .htpasswd file by cut and pasting my encrypted password
from /etc/passwd ??!! And that file works just fine on my NCSA web
server on my desk here at work??!! What system are you using?
>The obvious way around this is to name you .htpasswd/.htaccess something
>different.
>
>From the notes, webpages and emails I have read though, I get the
>impression that it is about as secure as a standard telnet session.
>
>Steff
>
>: Steff Watkins, General Computer-type being
>: University of Bristol, Clifton, Bristol, AVON, BS8 1TH, UK
>:
>: RFC-822 : Steff.Watkins@bris.ac.uk
>: X-400 : /G=Steff/S=Watkins/O=Bristol/PRMD=UK.AC/ADMD= /C=GB/
>
>: Phone: +44 177 287869 (external) 3046 / 7869 (internal)
>
>
>
-- John D. Allen, Enterprise Systems Consultant, Attachmate
Corporation
-- EMail: Johnal@attachmate.com PGP: Finger -l johnal@attachmate.com
-- Co-Author, Windows 3.1 Connectivity Secrets, 1994, IDG Books
