[31815] in bugtraq
Re: minor apache htpasswd problem
daemon@ATHENA.MIT.EDU (p@phk.at)
Thu Sep 25 20:02:13 2003
Date: Thu, 25 Sep 2003 23:06:05 +0200
From: p@phk.at
To: bugtraq@securityfocus.com
Message-ID: <20030925230605.A9231@spartakus.turithil.org>
Mail-Followup-To: bugtraq@securityfocus.com
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-md5;
protocol="application/pgp-signature"; boundary="UugvWAfsgieZRqgk"
Content-Disposition: inline
In-Reply-To: <3F734F21.2010703@domdv.de>; from ast@domdv.de on Thu, Sep 25, 2003 at 10:25:05PM +0200
--UugvWAfsgieZRqgk
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
Hi,
I wrote about that to security@apache.org in January. No response either.
Would be surprised if not a whole lot of other people noticed it as well.
A 2.0.x version I checked back then had the same problem iirc.
Thought they'd fix it at some point.=20
Philipp Krammer
On Thu, Sep 25, 2003 at 10:25:05PM +0200, Andreas Steinmetz wrote:
> This is valid for the htpasswd utility of at least apache 1.3.27 and 1.3.=
28:
>=20
> The salt used for password generation solely depends on the current=20
> system time:
>=20
> (void) srand((int) time((time_t *) NULL));
> ap_to64(&salt[0], rand(), 8);
>=20
> This causes all passwords generated within the same second to have the=20
> same salt value. This in turn may cause auto-generated default passwords=
=20
> to have the same value which could be a point of attack if the password=
=20
> file is not properly protected.
>=20
> The apache team was notified on 23.08.2003 but didn't respond.
>=20
> Though it would need quite some administrative errors before the above=20
> could be used it should still be corrected.
> --=20
> Andreas Steinmetz
>=20
--UugvWAfsgieZRqgk
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
iD8DBQE/c1i9qFAo9sPY06MRAgOOAJ95+ghws35caRhHMRev9MDarmm9xgCgzInU
dM9qmUe3nT0MkBWfYjVmSn8=
=zIbu
-----END PGP SIGNATURE-----
--UugvWAfsgieZRqgk--
