views:

72

answers:

2

Are there any known flaws with htaccess protected pages?

I know they are acceptable to brute force attacks as there is no limit to the amount of times someone can attempt to login. And a user can uploaded and execute a file on the server all bets are off...

Anything other .htaccess flaws?

+3  A: 

.htaccess is just a means of specifying Apache configuration directives on a per-directory basis. They allow numerous different kinds of password protection.

If you are talking about HTTP Basic Authentication then the username and password are sent in cleartext with every request and are subject to sniffing (assuming you aren't using SSL).

Aside from that, they are subject to the usual issues that any password based system suffers from.

Using HTTP Basic Authentication doesn't grant any additional ability for users to upload and execute files. If they can do that already, then they can still do that. If they couldn't, they can't.

David Dorward
Just for completeness sake, .htaccess also won't protect the directory's contents against poorly written server-side scripts (PHP, SSI, .net, etc) in other directories from snooping into the contents.
Kitsune
+1  A: 

The use of .htaccess is common and is fairly secure. However it makes you more susceptible to other attacks, such as remote file file disclosure vulnerabilities. For instance the follow code could be used to undermine .htaccess.

include("./path/to/languages/".$_GET['lang']);

An exploit would look like this:

http://127.0.0.1/LFI_Vuln.php?lang=../../../.htaccess

This will cause the contents of .htaccess to be displayed to the attacker.

Rook