[3077] in WWW Security List Archive
Re: Any known holes in .htaccess/.htpasswd directory security?
daemon@ATHENA.MIT.EDU (Adam Cain)
Wed Sep 25 18:39:02 1996
From: "Adam Cain" <acain@ncsa.uiuc.edu>
Date: Wed, 25 Sep 1996 15:37:58 -0500
In-Reply-To: Prentiss Riddle <riddle@is.rice.edu>
"Re: Any known holes in .htaccess/.htpasswd directory security?" (Sep 25, 8:55am)
Reply-To: acain@ncsa.uiuc.edu
To: Prentiss Riddle <riddle@is.rice.edu>, JOHNAL@attachmate.com (John Allen)
Cc: www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
On Sep 25, 8:55am, Prentiss Riddle wrote:
> In terms of security holes that would threaten the integrity of your
> ISP's machines, none that I've heard of.
>
> However, there is one small loophole in off-the-shelf NCSA httpd
> .htaccess/.htpasswd security which you should bear in mind: while the
> .htaccess/.htpasswd mechanism may successfully protect unauthorized
> access to your data via the HTTP protocol, it won't by itself protect
> your data from local access by your fellow users at your ISP. Commonly
> httpd servers are set up to run under a non-privileged userid so that
> they can only see files which are world-readable on the local file
> system. It is possible to get around this by playing games with group
> permissions (or by running httpd as root, a *bad* idea!) but your ISP
> may not want to bother.
>
A bit of clarification.... this "loophole" is by no means unique to
the NCSA httpd server. It is common to have .htaccess files and .htpasswd
files world readable on the server machine. Ideally, these would be only
readable by the UID of the server, but that may not be feasible in an
ISP environment.
Note that the .htpasswd files do not contain plaintext passwords; they are
one-way encrypted. So attackers (malicious users on the server machine who
can read the .htpasswd files) would have to run some sort of password guessing
software in order to impersonate another user via Basic Authentication.
> If you are serving out highly sensitive data which require
> near-bulletproof security, you may need to spend the bucks to get your
> ISP to provide you with your own filesystem (or better yet your own
> machine).
Yup.
Adam
