> Oh. I was just about to reply to say yes it does let the user in with
> the hashed password presented as the password.
yeah.. the reason is apparently that win32 is documented to allow clear-text
passwords for authentication. this was news to me, but I'm new to win32
httpd land. so really w
Geoffrey Young wrote:
>Geoffrey Young wrote:
>
>
>>hi steve :)
>>
>>if you have a moment, I was wondering if you could verify this scenario for me
>>
>>
>
>ah, forget it. the thread has gone on over in apr-dev@ as well as on irc
>with ryan. there are other issues in play, apparently.
>
Oh.
Geoffrey Young wrote:
> hi steve :)
>
> if you have a moment, I was wondering if you could verify this scenario for me
ah, forget it. the thread has gone on over in apr-dev@ as well as on irc
with ryan. there are other issues in play, apparently.
--Geoff
hi steve :)
if you have a moment, I was wondering if you could verify this scenario for me
http://marc.theaimsgroup.com/?l=apr-dev&m=108566146802317&w=2
here is a default unix htpasswd user/password (geoff/foo) pair
geoff:emzquyt3brYm2
it may not be a likely attack, since crypt does not ge
