LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 03-09-2011, 09:35 PM   #1
dhrumantgoradia
Member
 
Registered: Nov 2004
Distribution: CentOS & Ubuntu
Posts: 30

Rep: Reputation: 15
htpasswd allows incomplete password (weird)


Hi there, I've setup .htpasswd and a .htaccess file.

The password is a0bc0def0g3

If i enter that password, it let's me in.

if i enter a0bc0def0g it also works. I've never seen this before and is totally weird. Any suggestions?
 
Old 03-09-2011, 09:46 PM   #2
macemoneta
Senior Member
 
Registered: Jan 2005
Location: Manalapan, NJ
Distribution: Fedora x86 and x86_64, Debian PPC and ARM, Android
Posts: 4,593
Blog Entries: 2

Rep: Reputation: 327Reputation: 327Reputation: 327Reputation: 327
From here:

Quote:
Web password files such as those managed by htpasswd should not be within the Web server's URI space -- that is, they should not be fetchable with a browser.

This program is not safe as a setuid executable. Do not make it setuid.

The use of the -b option is discouraged, since when it is used the unencrypted password appears on the command line.

When using the crypt() algorithm, note that only the first 8 characters of the password are used to form the password. If the supplied password is longer, the extra characters will be silently discarded.

The SHA encryption format does not use salting: for a given password, there is only one encrypted representation. The crypt() and MD5 formats permute the representation by prepending a random salt string, to make dictionary attacks against the passwords more difficult.
 
Old 03-09-2011, 09:56 PM   #3
dhrumantgoradia
Member
 
Registered: Nov 2004
Distribution: CentOS & Ubuntu
Posts: 30

Original Poster
Rep: Reputation: 15
Thank you very much, I spent the whole day trying to figure it out, can't believe the answer was right in front of me. I read that page a few time and missed it.

(Kicking myself now, and embarrassed)
 
Old 03-09-2011, 09:58 PM   #4
macemoneta
Senior Member
 
Registered: Jan 2005
Location: Manalapan, NJ
Distribution: Fedora x86 and x86_64, Debian PPC and ARM, Android
Posts: 4,593
Blog Entries: 2

Rep: Reputation: 327Reputation: 327Reputation: 327Reputation: 327
Don't worry about it, it happens to all of us. I call it 'target blindness' - whatever we're looking for is the one thing our eyes keep skipping over.
 
  


Reply

Tags
apache2, security


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
How to sync md5 password between php and htpasswd chobong Linux - Server 1 07-15-2010 03:51 PM
Shell Password -vs- HTPASSWD Password? carlosinfl Linux - Security 1 10-14-2009 10:26 AM
Internal Server Error with Password protection of directory using .htaccess/.htpasswd mlapl1 Linux - Newbie 1 10-14-2009 12:12 AM
htpasswd password file fw12 Linux - Newbie 5 07-16-2006 02:26 PM
htpasswd steve_c Linux - General 10 04-16-2002 10:15 AM


All times are GMT -5. The time now is 03:28 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration