I wrote about that to security (at) apache (dot) org [email concealed] in January. No response either.
Would be surprised if not a whole lot of other people noticed it as well.
A 2.0.x version I checked back then had the same problem iirc.
Thought they'd fix it at some point.
Philipp Krammer
On Thu, Sep 25, 2003 at 10:25:05PM +0200, Andreas Steinmetz wrote:
> This is valid for the htpasswd utility of at least apache 1.3.27 and 1.3.28:
>
> The salt used for password generation solely depends on the current
> system time:
>
> (void) srand((int) time((time_t *) NULL));
> ap_to64(&salt[0], rand(), 8);
>
> This causes all passwords generated within the same second to have the
> same salt value. This in turn may cause auto-generated default passwords
> to have the same value which could be a point of attack if the password
> file is not properly protected.
>
> The apache team was notified on 23.08.2003 but didn't respond.
>
> Though it would need quite some administrative errors before the above
> could be used it should still be corrected.
> --
> Andreas Steinmetz
>
I wrote about that to security (at) apache (dot) org [email concealed] in January. No response either.
Would be surprised if not a whole lot of other people noticed it as well.
A 2.0.x version I checked back then had the same problem iirc.
Thought they'd fix it at some point.
Philipp Krammer
On Thu, Sep 25, 2003 at 10:25:05PM +0200, Andreas Steinmetz wrote:
> This is valid for the htpasswd utility of at least apache 1.3.27 and 1.3.28:
>
> The salt used for password generation solely depends on the current
> system time:
>
> (void) srand((int) time((time_t *) NULL));
> ap_to64(&salt[0], rand(), 8);
>
> This causes all passwords generated within the same second to have the
> same salt value. This in turn may cause auto-generated default passwords
> to have the same value which could be a point of attack if the password
> file is not properly protected.
>
> The apache team was notified on 23.08.2003 but didn't respond.
>
> Though it would need quite some administrative errors before the above
> could be used it should still be corrected.
> --
> Andreas Steinmetz
>
[ reply ]