httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 47573] New: htpasswd vulnerable after 8 characters
Date Fri, 24 Jul 2009 13:43:06 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=47573

           Summary: htpasswd vulnerable after 8 characters
           Product: Apache httpd-2
           Version: 2.2.3
          Platform: Other
               URL: http://issues.apahce.org
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Build
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: kod@kellyodonnell.org


Creating password with more than 8 characters gets truncated.
After 8 characters the user only needs to supply the password up to the 8th
character.  I even created an account on your site with 12 characters and only
had to supply 8. 

In addition:
The man page Examples states that the htpasswd use Apache md5 by default.  You
need to use the -m switch in order to use the md5 function.

"EXAMPLES
             htpasswd /usr/local/etc/apache/.htpasswd-users jsmith

       Adds or modifies the password for user jsmith. The user is prompted for
       the password. If executed on a Windows system,  the  password  will  be
       encrypted  using the modified Apache MD5 algorithm; otherwise, the sys-
       tem’s crypt() routine will  be  used.  If  the  file  does  not  exist,
       htpasswd will do nothing except return an error."

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message