httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject DO NOT REPLY [Bug 47573] New: htpasswd vulnerable after 8 characters
Date Fri, 24 Jul 2009 13:43:06 GMT

           Summary: htpasswd vulnerable after 8 characters
           Product: Apache httpd-2
           Version: 2.2.3
          Platform: Other
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Build

Creating password with more than 8 characters gets truncated.
After 8 characters the user only needs to supply the password up to the 8th
character.  I even created an account on your site with 12 characters and only
had to supply 8. 

In addition:
The man page Examples states that the htpasswd use Apache md5 by default.  You
need to use the -m switch in order to use the md5 function.

             htpasswd /usr/local/etc/apache/.htpasswd-users jsmith

       Adds or modifies the password for user jsmith. The user is prompted for
       the password. If executed on a Windows system,  the  password  will  be
       encrypted  using the modified Apache MD5 algorithm; otherwise, the sys-
       tem’s crypt() routine will  be  used.  If  the  file  does  not  exist,
       htpasswd will do nothing except return an error."

Configure bugmail:
------- You are receiving this mail because: -------
You are the assignee for the bug.
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message