We relaunched the TWiki.org project with an expanded TWiki charter, and we invite you to participate! The TWiki.org Code of Conduct agreement took effect on 27 Oct 2008. We ask existing twiki.org users to opt-in. You need to opt-in to participate in the Blog, Codev, Plugins and TWiki webs. -- PeterThoeny - 27 Oct 2008
You are here: TWiki>
Codev Web>SourceForgeAllowsHtpasswdRead (28 Nov 2004, RichardDonkin)
Codev Web>SourceForgeAllowsHtpasswdRead (28 Nov 2004, RichardDonkin) Bug: SourceForge allows .htpasswd file to be read
Anybody with a sourceforge shell account, which is to say anybody with developer cvs access to any SF hosted project, can read the .htpasswd file of any SF-hosted twiki, inlcuding twiki.org.
All you need to know is the path to the data dir (and thereby to the passwords file). Figuring out the path is relatively simple if mind-numblingly boring by using the path to your own home directory as a template. - there is a not so boring way too: wait for, or contrive to make it happen, a
cicheck in or similar program error message. It will contain the complete filesystem path to the data dir. On SF, this happens fairly often (whenever/tmpis momentarily full or busy). -- MattWilkie - 26 Nov 2004
maphew@sc8-pr-shell1 ~ $ grep MattWilkie /path/to/twiki/data/.htpasswd MattWilkie:i4nfMMLCvfdj6 maphew@sc8-pr-shell1 ~ $ grep TWikiGuest /path/to/twiki/data/.htpasswd TWikiGuest:hl8FHOvpJcKawOnce you have access to the passwords file commonly available cracking tools can be used to decrypt it with relative ease. At least that's what documents like the 'Hack FAQ' say. [...] -- MattWilkie - 23 Apr 2004 Consequences for this are: a) the
.htpasswd can be read. There are several
easily available programs which can crack Apache password files. And b)
hidden webs are not hidden.
You can provide a thin layer of security by obfusticating the filesystem
path, e.g. $twikiroot/kumqwat/data instead of $twikiroot/data .However
error messages will often contain path info. For example failed ci checkin
error messages from RCS are common.
Important note for non-SF users: don't just kick back and relax, it is
unlikely that SF is the only host which has this vulnerability.
-- MattWilkie - 07 Nov 2004
Web hosts that use suexec or similar for a SecureSetup (e.g. Dreamhost, see DreamhostSetupNotes) tend not to have this problem, as the CGI scripts run as the hosting user rather than nobody. This makes it easy to set the permissions so other users can't read the hosting user's files.
-- RichardDonkin - 28 Nov 2004
originally posted in PasswordSecurityDiscussions and WikiSecurityPhilosophy Edit | Attach | Print version | History: r2 < r1 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r2 - 28 Nov 2004 - 08:43:41 - RichardDonkin
-
Codev Web
-
Readme first
-
Developers News
-
Changes
-
Major Only
- All Webs
-
RSS Feed
-
Search
- Advanced
-
Topics of interest
-
Categories
-
All tags? / My tags
Create New Topic
Georgetown
TWiki 4.2.3- TWiki community
- TWiki marketing
- TWiki advocacy
- TWiki deployment
- Dev questions
- TWiki competition
- Usability
- Security
- Community
- How you can help
- Community roles
-
Answer Support questions
- Community
- #twiki (IRC)
- — logs
- Meet others
- Webs
-
Blog
- Codev
- Main
- Plugins
- Sandbox
- Support
- TWiki
- TWiki01
- TWiki02
- TWiki03
- TWiki04
- TWiki04x01
- TWiki04x02
Copyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors. Ideas, requests, problems regarding TWiki? Send feedback