[lug] Interesting .htpasswd "feature"
Scott A. Herod
herod at interact-tv.com
Thu Oct 11 13:20:38 MDT 2001
Is it just using the first 8 characters? I think even telnet only uses
8 so for example, I can mistype the last two characters of my 10
character
password and still log in.
Scott
Justin wrote:
>
> I tested this on Apache 1.3.20 and I got the same thing. Put in my
> login name and my password plus a couple keyboard mashes and it logged
> in fine. Dunno how someone could abuse this though cause they would
> still need the real password...definitely interesting though.
>
> Justin
>
> > Check this out:
> >
> > If you .htpasswd a directory/site with apache 1.3.19, log in
> with the
> > correct username and (password + any characters thereafter) you will
> be
> > logged in. I tried this "feature" with apache 1.3.12 and it didn't
> work.
> > This seems kind of stupid since somebody doesn't have to use the
> exact
> > password when the log in to the site you are protecting. If you
> password
> > was ABCDEF and somebody tried the entire alphabet as a password they
> would
> > be allowed in. How odd. I wonder if it's just my machine. Can
> anybody
> > else confirm this?
> >
> > Greg
More information about the LUG
mailing list