password protect security problem

Snowman30

Well-Known Member
PartnerNOC
Apr 7, 2002
679
0
316
cPanel Access Level
DataCenter Provider
I have just been notified by a client that the .htaccess password protect function is playing up on accounts on one of our servers

lets say you password protect the folder /public_html/admin

and you set a user as "admin" with a pass of say "foobar"

well we have found that foo, foob, fooba and foobars all let the user login

this is very wrong anyone have any ideas as to whats going on?

we are using the latest CPanel 11 R release
 

Gausar

Registered
Oct 17, 2006
3
0
151
Cannot reproduce your problem

I tested on couple of my server and could not reproduce this issue.
You sure it is not something else.
 

nyjimbo

Well-Known Member
Jan 25, 2003
1,135
1
168
New York
I have just been notified by a client that the .htaccess password protect function is playing up on accounts on one of our servers

lets say you password protect the folder /public_html/admin

and you set a user as "admin" with a pass of say "foobar"

well we have found that foo, foob, fooba and foobars all let the user login

this is very wrong anyone have any ideas as to whats going on?

we are using the latest CPanel 11 R release


Which version of Apache are you running ?
 

Frimon86

BANNED
Jun 4, 2007
31
0
156
This could be a setting inside of your server whm config I think. Have you tried checking your server whm?!?
 

nyjimbo

Well-Known Member
Jan 25, 2003
1,135
1
168
New York
still running 1.3

I cant recreate the error other than on this one server which has me completely stumped
If you can get one of the offending .htaccess files and upload it here (don't change anything except stuff that might expose your server) that would help.

Its possible one or more lines is messed up, especially the "require" statement. Its a long shot, but that would explain the error you are seeing.
 

onaweb

Well-Known Member
Jan 1, 2004
76
0
156
Hello,
I am experiencing the same issue. I have a password of user2007 and you can enter user200, user2008, user2009, user20 - they all let you log in.

Did anyone find a solution to this issue?

Thanks,
Andy