minor apache htpasswd problem

From: Andreas Steinmetz (ast_at_domdv.de)
Date: 09/25/03

  • Next message: Liviu Daia: "Re: Ruh-Roh SOBIG.G?" 
    Date: Thu, 25 Sep 2003 22:25:05 +0200
To: bugtraq@securityfocus.com

    This is valid for the htpasswd utility of at least apache 1.3.27 and 1.3.28:

    The salt used for password generation solely depends on the current
    system time:

    (void) srand((int) time((time_t *) NULL));
    ap_to64(&salt[0], rand(), 8);

    This causes all passwords generated within the same second to have the
    same salt value. This in turn may cause auto-generated default passwords
    to have the same value which could be a point of attack if the password
    file is not properly protected.

    The apache team was notified on 23.08.2003 but didn't respond.

    Though it would need quite some administrative errors before the above
    could be used it should still be corrected. 

    -- 
Andreas Steinmetz
  • Next message: Liviu Daia: "Re: Ruh-Roh SOBIG.G?"

    Relevant Pages

    • Apache web server 2.2: htpasswd predictable salt weakness
      ... Steinmetz posted about the problem for an Apache httpd release in 2003. ... Unix-style cryptpasswords: uses a 12 bit salt (4096 ... no salt; any given password can have only one ... The htpasswd utility uses predictable salts for the salted algoritms ...
      (Bugtraq)
    • Re: Using redhat-config-httpd with another apache.
      ... Mark Haney wrote: ... I would like to suggest that you change your system time to ... Any how I don't use the default apache that comes with Fedora. ... Is there any way to point the config GUI to my separate ...
      (Fedora)
    • Re: [m@MarcBlake.com: Command not found]
      ... > I'm trying to run the htpasswd utility with Apache and I'm getting an ... > error: Command not found. ... > I'm new to UNIX and not sure what I can do to resolve this. ...
      (freebsd-questions)
    • Re: minor apache htpasswd problem
      ... No response either. ... > same salt value. ... > to have the same value which could be a point of attack if the password ...
      (Bugtraq)
    • Re: Command not found
      ... > I'm trying to run the htpasswd utility with Apache and I'm getting an ... > error: Command not found. ... htpasswd is part of the Apache webserver. ... recognize new programs after installation. ...
      (freebsd-questions)