httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From (Robert S. Thau)
Subject Re: WWW Form Bug Report: ".htpasswd not checked in current directory" on SunOS 4.x
Date Tue, 18 Jun 1996 17:09:34 GMT
   Previously "AuthUserFile
   .htpasswd" would look in the current directory

...and "GET /that/dir/.htpasswd" would allow anyone who had guessed or
cracked one of the passwords therein to retrieve the hash codes of the
others and have much better odds at cracking them as well.  Neat!

I'm not sure what to tell these guys, since it's beyond my skill to
say tactfully, "we shouldn't have made this easy, since you shouldn't
have been doing it".  But that is what I really believe about this...


View raw message