0

i have a server running apache2 in a debian lenny.

something strange happen with the folders protected by .htaccess.

basically, if you put a wrong password but formed by the_correct_password + _more_chars it let you enter. if you put the incorrect password in other way, of course it tells forbidden.

so i ask, is this behavior correct? if you put a correct password first + any other chars let you enter? how can i make apache check for a exactly correct password and not a correct password in the beginning of the entered password.

i hope i have explained the problem in the more clear way :)

shadow_of__soul
  • 376
  • 1
  • 6
  • 16

1 Answers1

2

Are you storing the passwords in the classic "crypt" DES format (14 characters long, a-z, A-Z, 0-9, "." and/or "/" characters, like: "papAq5PwY/QQM", with no $ signs in the encrypted password)?

If you are, that would explain it. That format is limited to 8 characters, so anything past 8 characters gets ignored. If the correct password is 8 (or more) characters, adding more characters at the end won't make a difference.

To fix it, use MD5 or SHA to store the passwords instead. If you're using the "htpasswd" command, add "-m" or "-s" to your options when you set the password.

freiheit
  • 14,334
  • 1
  • 46
  • 69