[wikka-community] replacing wikka-login/authentication with apache htaccess/htusers

Will Woodhull wwoodhull
Sun Aug 29 14:59:54 GMT 2010

I was perhaps too hasty in my earlier response, where I left the
intermediate steps in the logic as an exercise for the reader and just
stated the implications of the result. That is a bad habit I picked up in my
first career, when I was working with physicians and surgeons who had been
trained to this kind of shorthand presentation. The idea there being that if
you cannot quickly work through the logic chain from the known facts to a
given implication, then you should not be trusted with a scalpel and it
would be best for everybody if you flunked out of med school quickly.

Here's the long version:

Apache security through .htaccess is pretty good. The security scheme used
by Wikkawiki is also fairly good, although as noted it could be cracked by
someone clever who had full access to the MySQL tables. Only trusted
individuals should have that level of access to the web site.

There is no publicly known way to set up .htaccess passwords other than
encrypting them in the usual fashion. Which is as it should be.

That means for a third party to duplicate Wikka passwords in .htaccess, that
person would have to have the cleartext of the Wikka passwords. If those
were not furnished to them by the users, then they would have to crack
Wikka's security to get them.

So the short answer is still that if anyone knows how to do what was
requested, it would be better if they kept their mouths shut (rather than
outlining the steps to cracking Wikka's security in a way that any script
kiddie could follow).

If one can trust that users would not counterfeit each other, it would be
possible to automate the Wikka log-in by accessing the environment variable
that Apache sets up that names the owner of the session. The wiki would be
no more secure than it was, except that it would only be running within
sessions that Apache had already secured. That would be good enough I should
think for a great many situations. But perhaps not for MIT or Georgia Tech

On Sun, Aug 29, 2010 at 6:11 AM, flurios <flurios at gmail.com> wrote:

> On Sat, Aug 28, 2010 at 4:51 PM, Will Woodhull <wwoodhull at gmail.com>
> wrote:
> > This question seems to be the same as
> >
> >        "Does anyone know how to extract the cleartext passwords from
> > Wikkawiki?"
> >
> The question was more like: can you make apache eat unsalted md5
> hashes or salting existing hashes... or whatever.
> > I would hope that if there is anyone who has cracked the Wikkawiki
> security
> > scheme, they will keep their mouth shut.
> >
> it's not about cracking anything. the passwords are saved in the
> mysql-db -- not in clear text, but hashed. with rainbow tables they
> could be reverse engineered. so using htaccess could be more secure.
> cheers
> _______________________________________________
> WikkaWiki Community mailing list
> community at wikkawiki.org
> http://mail.wikkawiki.org/mailman/listinfo/community_wikkawiki.org

Will Woodhull
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.wikkawiki.org/pipermail/community_wikkawiki.org/attachments/20100829/99de435a/attachment.html>

More information about the community mailing list