Ping a Specific Port

Question

Jacksonkr

Asked: 2013-03-02 06:05:08 +0800 CST2013-03-02 06:05:08 +0800 CST 2013-03-02 06:05:08 +0800 CST

HTAccess Allowing Login By Using Name As Password

772

I have an issue where my server is accepting a faulty password for my site.

For example, my domain name might be "johndoe.com" and the scenario is

ht login name: johndoe
ht password: johndoe123

Which works fine to log me in, however there is a small issue. For some reason I can also use my login name as the password and it will let me in! I tried using a random password but that didn't work (expected behavior).

I looked at my .htpasswd and it looks like this:

johndoe:rpFVb9n8R.p9c

So how is it that my password and my login name are both working as a correct password? This one is beyond me :/

1 Answers

Voted

nickgrim · Answer 1 · 2013-03-02T06:16:54+08:00

Best Answer

nickgrim

2013-03-02T06:16:54+08:002013-03-02T06:16:54+08:00

It looks like you might be using crypt for your password, based on the hash. Old versions of crypt effectively only use the first 8 characters of your password, so if the shared-prefix of your username and password is longer than that, that would cause the symptoms you're seeing.

Don't use crypt, use SHA instead; run htpasswd with the -s flag, e.g.

$ htpasswd -bs /path/to/htpasswd johndoe johndoe123

2

HTAccess Allowing Login By Using Name As Password

Can you pass user/pass for HTTP Basic Authentication in URL parameters?

Ping a Specific Port

Check if port is open or closed on a Linux server?

How to automate SSH login with password?

How do I tell Git for Windows where to find my private RSA key?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?