All geek questions in one place

How secure are secure .htaccess pages

Are there any known flaws with htaccess protected pages?

I know that they are acceptable for brute force attacks, since there are no restrictions on the number of login attempts. And if the user can upload and execute the file on the server, all bets are disabled ...

Are there any other disadvantages of .htaccess?

+4
source share
2 answers

.htaccess is simply a tool for specifying Apache configuration directives for each directory. They allow you to use various types of password protection.

If you are talking about basic HTTP authentication, then the username and password are sent in clear text with each request and can be sniffing (if you are not using SSL).

In addition, they are prone to the usual problems that any password-based system suffers from.

Using HTTP Basic Authentication does not provide users with additional options for downloading and executing files. If they can do it, then they can do it anyway. If they cannot, they cannot.

+5
source

Using .htaccess is generic and fairly safe. However, this makes you more susceptible to other attacks, such as remote file vulnerabilities. For example, the following code can be used to undermine .htaccess.

include("./path/to/languages/".$_GET['lang']);

The exploit will look like this:

 http://127.0.0.1/LFI_Vuln.php?lang=../../../.htaccess

This will cause the .htaccess content to be displayed to the attacker.

+4
source

Source: https://habr.com/ru/post/1308507/

More articles:


All Articles