[lug] Interesting .htpasswd "feature"
Justin
glow at jackmoves.com
Thu Oct 11 13:16:56 MDT 2001
I tested this on Apache 1.3.20 and I got the same thing. Put in my
login name and my password plus a couple keyboard mashes and it logged
in fine. Dunno how someone could abuse this though cause they would
still need the real password...definitely interesting though.
Justin
> Check this out:
>
> If you .htpasswd a directory/site with apache 1.3.19, log in
with the
> correct username and (password + any characters thereafter) you will
be
> logged in. I tried this "feature" with apache 1.3.12 and it didn't
work.
> This seems kind of stupid since somebody doesn't have to use the
exact
> password when the log in to the site you are protecting. If you
password
> was ABCDEF and somebody tried the entire alphabet as a password they
would
> be allowed in. How odd. I wonder if it's just my machine. Can
anybody
> else confirm this?
>
> Greg
>
>
> _________________________________________________________________
> Get your FREE download of MSN Explorer at
http://explorer.msn.com/intl.asp
>
> _______________________________________________
> Web Page: http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
>
>
-----
glow at jackmoves.com
www.jackmoves.com
More information about the LUG
mailing list