[3071] in WWW Security List Archive
RE: Any known holes in .htaccess/.htpasswd directory security?
daemon@ATHENA.MIT.EDU (Daniel M. Saito)
Wed Sep 25 15:10:46 1996
From: "Daniel M. Saito" <Daniel@msmail.iosoftware.com>
To: "'www-security@ns2.rutgers.edu'" <www-security@ns2.rutgers.edu>,
"'Steff Watkins'" <Steff.Watkins@Bristol.ac.uk>
Date: Wed, 25 Sep 1996 10:27:16 -0700
Errors-To: owner-www-security@ns2.rutgers.edu
well just curious then .htaccess and .htpassword are already within the
protected directory, which is protected by the .htaccess file. Wouldn't
then the user need to have access already to initiate the "pull"?
Because if the user does not have access, access will be denied. Please
correct me if I am wrong.. :)
>----------
>From: Steff Watkins[SMTP:Steff.Watkins@Bristol.ac.uk]
>Subject: Re: Any known holes in .htaccess/.htpasswd directory security?
>Hello John,
>
> there are two 'sorta obvious' ones.
>
>The first is that it is possible for a remote user with browser to pull
>the '.htpasswd/.htaccess' file IF they have site based access to the
>locating directory.
>
>The second is that 'htpasswd's are just uuencoded words (rather than DES
>encrypted like ordinary passwords)., so they are fairly easy to decrypt.
>
>The obvious way around this is to name you .htpasswd/.htaccess something
>different.
>
>From the notes, webpages and emails I have read though, I get the
>impression that it is about as secure as a standard telnet session.
>
>Steff
>
>: Steff Watkins, General Computer-type being
>: University of Bristol, Clifton, Bristol, AVON, BS8 1TH, UK
>:
>: RFC-822 : Steff.Watkins@bris.ac.uk
>: X-400 : /G=Steff/S=Watkins/O=Bristol/PRMD=UK.AC/ADMD= /C=GB/
>: Phone: +44 177 287869 (external) 3046 / 7869 (internal)
>
>
>
