You are viewing a plain text version of this content. The canonical link for it is here.
Posted to bugs@httpd.apache.org by bu...@apache.org on 2004/09/27 20:46:46 UTC
DO NOT REPLY [Bug 31440] New: -
htpasswd salt generation weakness
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=31440>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=31440
htpasswd salt generation weakness
Summary: htpasswd salt generation weakness
Product: Apache httpd-2.0
Version: 2.0.51
Platform: PC
OS/Version: Linux
Status: NEW
Severity: Normal
Priority: Other
Component: support
AssignedTo: bugs@httpd.apache.org
ReportedBy: ak@synflood.at
I noticed a salt generation weakness when using htpasswd in MD5 mode on platforms where rand()
returns only a 32 bit value: since the MD5 salt is 48 bits wide, the last 2 or 3 characters are always filled
with '.'.
$ htpasswd -m -c /tmp/htpasswdtest a
New password:
Re-type new password:
Adding password for user a
$ cat /tmp/htpasswdtest
a:$apr1$sTQf/...$v6RZCfMprmLq5vMTzpwH2/
$
---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org