Bug: SourceForge allows .htpasswd file to be read
Anybody with a sourceforge shell account, which is to say anybody with developer cvs access to any SF hosted project, can read the .htpasswd file of any SF-hosted twiki, inlcuding twiki.org.
All you need to know is the path to the data dir (and thereby to the passwords file). Figuring out the path is relatively simple if mind-numblingly boring by using the path to your own home directory as a template. - there is a not so boring way too: wait for, or contrive to make it happen, a
cicheck in or similar program error message. It will contain the complete filesystem path to the data dir. On SF, this happens fairly often (whenever/tmpis momentarily full or busy). -- MattWilkie - 26 Nov 2004
maphew@sc8-pr-shell1 ~ $ grep MattWilkie /path/to/twiki/data/.htpasswd MattWilkie:i4nfMMLCvfdj6 maphew@sc8-pr-shell1 ~ $ grep TWikiGuest /path/to/twiki/data/.htpasswd TWikiGuest:hl8FHOvpJcKawOnce you have access to the passwords file commonly available cracking tools can be used to decrypt it with relative ease. At least that's what documents like the 'Hack FAQ' say. [...] -- MattWilkie - 23 Apr 2004 Consequences for this are: a) the
.htpasswd can be read. There are several
easily available programs which can crack Apache password files. And b)
hidden webs are not hidden.
You can provide a thin layer of security by obfusticating the filesystem
path, e.g. $twikiroot/kumqwat/data instead of $twikiroot/data .However
error messages will often contain path info. For example failed ci checkin
error messages from RCS are common.
Important note for non-SF users: don't just kick back and relax, it is
unlikely that SF is the only host which has this vulnerability.
-- MattWilkie - 07 Nov 2004
Web hosts that use suexec or similar for a SecureSetup (e.g. Dreamhost, see DreamhostSetupNotes) tend not to have this problem, as the CGI scripts run as the hosting user rather than nobody. This makes it easy to set the permissions so other users can't read the hosting user's files.
-- RichardDonkin - 28 Nov 2004
originally posted in PasswordSecurityDiscussions and WikiSecurityPhilosophy 
Edit | Attach | Topic revision: r2 - 2004-11-28 - RichardDonkin
Site map
Blog web
Create New Topic
Index
Search
Advanced search
My topics of interest
Changes
Major changes only
All tags
Notifications
RSS Feed
Statistics
Preferences
Community 
Readme first
Developers News
How you can help
Community roles
#twiki IRC
Lima Release
Feature Proposals
Bugs Changes
Categories 
Account 
Ideas, requests, problems regarding TWiki? Send feedback. Ask community in the support forum.Copyright © 1999-2026 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.