Jump to content

.htaccess admin directory "compromisability"/clarifications


Matt Ball

Recommended Posts

Lets say I'm using the .htaccess protection on my admin directory, but the username and password I have chosen for it are the same as my forum login details. Obviously this would be bad practice but lets say it is done to make things simpler, after all, there is nothing in the AdminCP to say don't.

As far as I'm aware, every request from there on in (whilst in the ACP) will be sending your username and password across in effectively plain text. If you've used the same details as your main login this could obviously compromise the ACP. This would only be OK behind SSL, but how many people run their boards with SSL?

Have I misunderstood the very basic authentication of htaccess or should there REALLY be a warning on this option that it can in fact make things worse if you do not pick a different username and password?

Link to comment
Share on other sites

I can see why you say that although I'm not 100% sure it would be transmitted in plain text although I do see what you mean as its an authentication box.

It would be recommended to *not* use your user details for here, I seem to have suggested that before once or twice in a topic basically saying don't use your user (or worse still!) your FTP details for this.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...