Weak passwords is a feature of Apache

 Jun 11th, 2011 

 , , ,

I was looking for an SVN provider for a personal project. One of the providers that I found (will not disclose the name) had a very nice offer and some extra features compared to the others. So, I started playing with their website and SVN. By mistake, I found that only the first 8 characters of the password are validated when logging in to the SVN repository. What does that mean? It means that if my password is “MySuperStrongPassword” then I can login with any of the following:

  • MySuperS“,
  • MySuperSXX”,
  • MySuperSUselsessCharacters”

because only the bold part gets validated making 8+ characters passwords as strong as those with 8 characters.

Immediately, I sent a message to customer service:

Dear sir/madam,

[…]If I set a password with more than 8 characters then only the first 8 are validated at SVN login, making possible to access the repository by just using the first 8 characters of my password.

[… the rest of the message with details and repro steps]

They have a good (but useless, as will be seen soon) customer services. I got the response after 3 hours:

Hi Victor,

This is not so much an issue with our Subversion servers its more a feature of apache bassed systems.

I’m interested to understand why you think this is a security issue though.

Please let me know if you need any further assistance?

Cheers,[…]

Do I need to add any more comments? WTF? I explained the guy why I think that’s a big issue and he closed the thread without any extra comments.

The sad part is that a few hundred companies pick them, every week, for hosting projects (that’s what their website says)…

  • Victor

    @Mictateur: I fixed the typo. Thanks!
    @Dorin: Totally agree

  • http://dorinlazar.ro/ Dorin

    That’s insane. This is no feature of Apache – this is more of a misconfiguration.

  • Mictateur

    I love that feature, I really do, but somehow, I prefer software without it.

    And and dude, please tell: which was it?

    BTW: MySuperS, not MySuperP. ;)