1

I've got a few sites with directories protected by http basic auth implemented via .htaccess files paired with .htpasswd files. I've noticed that with a password ending in "et!" I can get in by omitting the "t!", or replacing the ! with a 1.

Contents of my .htaccess file:

AuthType Basic
AuthName "administration"
AuthUserFile /var/www/conf/mysitename.com.pw

require valid-user

I have two users in mysitename.com.pw.

Obviously this behavior isn't wanted. Any idea what's going on?

2 Answers2

6

Have a look at: http://httpd.apache.org/docs/2.1/misc/password_encryptions.html

It sounds to me like you're using CRYPT format passwords (the default on most platforms). CRYPT passwords only use the first 8 characters of the password.

I suspect your password exceeds 8 characters in length and the "slightly incorrect" part are characters in the ninth or greater position (which aren't actually checked as part of the password).

Evan Anderson
  • 141,881
  • 20
  • 196
  • 331
  • the man page doesn't mention the default on linux systems. is CRYPT default when using the htpasswd binary without -m, -d, or -s? –  Jul 07 '10 at 20:10
  • Try changing the hashing algorithm to SHA1 or MD5, see if that fixes it. – Marcin Jul 07 '10 at 20:19
0

I would try erasing and recreating the .pw file first. This is a really strange problem...

If that doesn't fix it, check for bug reports related your version of Apache. I HIGHLY HIGHLY doubt it is a bug, though.

I wish I knew where to go from there. Hopefully when you remove/recreate the file it fixes the problem. If not, hopefully an Apache expert wanders this way soon...

mistiry
  • 276
  • 3
  • 11