I know that is possible to hack .htaccess, but I do not know how, does anyone know how to do this? I want to know because I want to see how easy it is to be hacked into, because I do protect some sensitive data with .htaccess and .htpasswd. So I need to know how easy it is for someone to hack into an .htaccess protected directory.

Try accessing your .htaccess and .htpasswd file by using your web browser. If the server gives you those files, then you are in big problem :).

I already know that, and my files are both hidden, however I know that people are able to add users to the .htaccess easily, I want to know how, so that I know how easy it is.

I think if anyone knows the answer to this they should PM iamdave with it rather than posting it in the public forum as it could lead to security breaches etc.

Adding a user to an .htpassword:

htpasswd /home/username/etc/.htpasswd newusername


This is only a problem if the .htpassword is chmod 777, if so, well time to have some fun.. Also make sure the .htaccess isn't chmoded 777 because someone could change the password file to their own....


Mind you, these are all local threats....

Yes, I agree this is probably local attacks. Apache doesn't have standard way of manipulating .htpasswd files from a web browser. Another possibility is insecure CGI scripts.

Does anyone know how to unencode a password in the .htpasswd file? I was working on a script earlier today that utilized .htaccess and .htpasswd today, but I ended up giving up on using .htaccess because I was unable to decrypt the password.

The reason I wanted to decrypt the password was for password verification; I was able to verify if the username existed in the file (plain text entry), but the passwords are encrypted so I was unable to truly verify if the user was correct.

Optionally, does anyone know how to get the password from the .htaccess prompt?

The username environment variable is REMOTE_USER.

Is there by any chance an environment variable which stores the password?

Please feel free to PM me if you think it may be a breach of security.

2 way encryption is a bad idea. You should always use one way encryption schemes if you are storing passwords on a server.

Why would you need to know the de-crypted password to verify?

Just take the user input password, encrypt it with the same scheme as htpasswd and compare to the password on the server.

You can't decrypt a password, that would defeat the purpose of encrypting it in the first place.

To verify a password you simply encrypt the password sent via the form and compare the result with the one in the .htpasswd file. But you have to remember to use the same salt (usually the first 2 characters of the encryption, depends on the server though).

Also, there is no environment variable which stores the sent password, the only way you could retrieve it is writting your own authorization module for apache (using perl or c++).

Originally posted by CyberScript
Also, there is no environment variable which stores the sent password, the only way you could retrieve it is writting your own authorization module for apache (using perl or c++).

Yes, there is, but only when Apache is compiled with -DSECURITY_HOLE_PASS_AUTHORIZATION. The environment variable that stores this value is HTTP_AUTHORIZATION. It is disabled by default because on some systems a user is able to see the environment of other processes owned by another user.

Originally posted by CyberScript
You can't decrypt a password, that would defeat the purpose of encrypting it in the first place.

Very untrue.....


Programs such as John The Ripper (http://www.openwall.com/john/) can brute force a file... You of course won't always get the users exact password since the passwords use MD5 encryption...

I take some of that back, JtR doesn't decrypt the password, but still it can be broken...

I think John the Ripper just guesses the password using a word list.

Originally posted by CyberScript
I think Jack the Ripper just guesses the password using a word list.


It brute forces the pass.. You can have it use a word list though... Although most people know not to use words :D

If you use OcoLoco to administrate your client domains..you can see all user passwords as administrator including .htaccess etc

If you're using PHP, the submitted username and password will be stored in $PHP_AUTH_USER and $PHP_AUTH_PASS.

Depending on how you got things running, perhaps AllowOveride can be set to no under certain directories. This is of course if you are worried about certain things. Let's say you did not want to give your client cgi thus their directory or parent directory would have options without the ExecCGI. But me, I'm a punk and I place a .htaccess in there with this line
Options ExecCGI Includes

Now I can run in scripts, and Server Side Includes (SSI). By placing my own .htaccess I may give myself rights that you denied me in you server configurations, but having the allowOveride to yes in the httpd.conf for this directory will make it so that the ftp amateur can get in and change the rules on you ...

Hope this helps or at least inspires a mini-thought ;)


Andres