lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Thu, 25 Sep 2003 23:06:05 +0200
From: p@....at
To: bugtraq@...urityfocus.com
Subject: Re: minor apache htpasswd problem

Hi,

I wrote about that to security@...che.org in January. No response either.
Would be surprised if not a whole lot of other people noticed it as well.
A 2.0.x version I checked back then had the same problem iirc.


Thought they'd fix it at some point. 

Philipp Krammer



On Thu, Sep 25, 2003 at 10:25:05PM +0200, Andreas Steinmetz wrote:
> This is valid for the htpasswd utility of at least apache 1.3.27 and 1.3.28:
> 
> The salt used for password generation solely depends on the current 
> system time:
> 
> (void) srand((int) time((time_t *) NULL));
> ap_to64(&salt[0], rand(), 8);
> 
> This causes all passwords generated within the same second to have the 
> same salt value. This in turn may cause auto-generated default passwords 
> to have the same value which could be a point of attack if the password 
> file is not properly protected.
> 
> The apache team was notified on 23.08.2003 but didn't respond.
> 
> Though it would need quite some administrative errors before the above 
> could be used it should still be corrected.
> -- 
> Andreas Steinmetz
> 

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ