You are viewing a plain text version of this content. The canonical link for it is here.

Posted to bugs@httpd.apache.org by bu...@apache.org on 2004/09/27 20:46:46 UTC

DO NOT REPLY [Bug 31440] New: - htpasswd salt generation weakness

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=31440>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=31440

htpasswd salt generation weakness

           Summary: htpasswd salt generation weakness
           Product: Apache httpd-2.0
           Version: 2.0.51
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Severity: Normal
          Priority: Other
         Component: support
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: ak@synflood.at


I noticed a salt generation weakness when using htpasswd in MD5 mode on platforms where rand() 
returns only a 32 bit value: since the MD5 salt is 48 bits wide, the last 2 or 3 characters are always filled 
with '.'.

$ htpasswd -m -c /tmp/htpasswdtest a
New password: 
Re-type new password: 
Adding password for user a
$ cat /tmp/htpasswdtest
a:$apr1$sTQf/...$v6RZCfMprmLq5vMTzpwH2/
$

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org