Reputation: 4614
How secure are .htaccess protected pages
Are there any known flaws with htaccess protected pages?
I know they are acceptable to brute force attacks as there is no limit to the amount of times someone can attempt to login. And if a user can uploaded and execute a file on the server, all bets are off...
Are there any other .htaccess flaws?
Upvotes: 4
Views: 7224
Answers (2)
Reputation: 67029
The use of .htaccess is common and is fairly secure. However it makes you more susceptible to other attacks, such as remote file file disclosure vulnerabilities. For instance the follow code could be used to undermine .htaccess.
include("./path/to/languages/".$_GET['lang']);
An exploit would look like this:
http://127.0.0.1/LFI_Vuln.php?lang=../../../.htaccess
This will cause the contents of .htaccess to be displayed to the attacker.
Upvotes: 3
Reputation: 943996
.htaccess is just a means of specifying Apache configuration directives on a per-directory basis. They allow numerous different kinds of password protection.
If you are talking about HTTP Basic Authentication then the username and password are sent in cleartext with every request and are subject to sniffing (assuming you aren't using SSL).
Aside from that, they are subject to the usual issues that any password based system suffers from.
Using HTTP Basic Authentication doesn't grant any additional ability for users to upload and execute files. If they can do that already, then they can still do that. If they couldn't, they can't.
Upvotes: 5
Related Questions
- How secure is htaccess authentication
- Why is .htaccess insecure by default to prevent unauthorized access?
- How secure is .htaccess password protection?
- Correct way to protect .htacces file
- .htaccess safety vs password
- htaccess to provide security
- .htaccess File Security
- Protect Apache server
- .htaccess - a potential security threat for hack?
- Is protecting a website directory with a .htaccess file secure?