Hi, I wrote about that to security@xxxxxxxxxx in January. No response either. Would be surprised if not a whole lot of other people noticed it as well. A 2.0.x version I checked back then had the same problem iirc. Thought they'd fix it at some point. Philipp Krammer On Thu, Sep 25, 2003 at 10:25:05PM +0200, Andreas Steinmetz wrote: > This is valid for the htpasswd utility of at least apache 1.3.27 and 1.3.28: > > The salt used for password generation solely depends on the current > system time: > > (void) srand((int) time((time_t *) NULL)); > ap_to64(&salt[0], rand(), 8); > > This causes all passwords generated within the same second to have the > same salt value. This in turn may cause auto-generated default passwords > to have the same value which could be a point of attack if the password > file is not properly protected. > > The apache team was notified on 23.08.2003 but didn't respond. > > Though it would need quite some administrative errors before the above > could be used it should still be corrected. > -- > Andreas Steinmetz >
Attachment:
pgp00011.pgp
Description: PGP signature