Apache security bug on htaccess file?

[Richard G]

Due to a thread on the CSF forum I just discovered that there might be a bug in Apache, making it easily possible to do bruteforces without problems.

On a .htacces file, when using a wrong username and/or password, normally after 3 attempts, you would get an authentication error which would be logged.
At this moment, it's not working like that, when trying to attempt a login, the login screen is presented every time again and again when login failed.

The logfile present's this:

[Tue Feb 25 16:40:10 2014] [error] [client 84.26.xxx.xxx] user dkdk not found: /test/testdir/

Because it says "user not found" in stead of "authentication error", the user won't get blocked by the firewall and can keep on trying to bruteforce.

Edit: Just got confirmation that this is also the case on Nginx.

 

[zEitEr]

Probably it is not a bug in Apache then. Probably the issue relates to CSF itself? And the behaviour of apache and nginx which you desribe is a desinged feature?

 

[Richard G]

No I just found out that it's a change in browsers. Previously after 3 attempts you would get an authentication failure.
Now the browser present's you with a new login window every time. I don't have a clue why they changed this.
Anyway, CSF did not see this change and so does not react the .htaccess failed logins anymore. They know about it over at CSF and it there will be made a change for the next release for apache 2.4.x and hopefully also for 2.2.x.