https://issues.apache.org/bugzilla/show_bug.cgi?id=47573
Summary: htpasswd vulnerable after 8 characters
Product: Apache httpd-2
Version: 2.2.3
Platform: Other
URL: http://issues.apahce.org
OS/Version: Linux
Status: NEW
Severity: normal
Priority: P2
Component: Build
AssignedTo: [email protected]
ReportedBy: [email protected]
Creating password with more than 8 characters gets truncated.
After 8 characters the user only needs to supply the password up to the 8th
character. I even created an account on your site with 12 characters and only
had to supply 8.
In addition:
The man page Examples states that the htpasswd use Apache md5 by default. You
need to use the -m switch in order to use the md5 function.
"EXAMPLES
htpasswd /usr/local/etc/apache/.htpasswd-users jsmith
Adds or modifies the password for user jsmith. The user is prompted for
the password. If executed on a Windows system, the password will be
encrypted using the modified Apache MD5 algorithm; otherwise, the sys-
tem’s crypt() routine will be used. If the file does not exist,
htpasswd will do nothing except return an error."
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
