Can I manipulate the htpasswd file from a CGI?

Contributors:

• AlanMead amead@soltec.net
• AlanMead amead@soltec.net

---

Yes. For example, you can write (or find on the 'net) CGI programs that allow users to modify their own passwords or even usernames. You can read the file with something like this:

open(FIL,"$passwdname") or die "Cannot open $passwdname";
while($input = <FIL>) {
   chop($input);
   @A = split(/:/, $input);
}

And you can write it back out too but you have to open FIL in write or read-write mode.

Here is code to take a plaintext password and encrypt it:

# Returns its argument encrypted with a random salt.
sub pw_encrypt {
        my($passwd) = @_;
        my($ascii_salt, $randum_num, @passset);
        @passset = ('a'..'k', 'm'..'z', 'A'..'N', 
                   'P'..'Z', '2'..'9');
        $ascii_salt = "";
 
        for ($i = 0; $i < 10; $i++) {
                $randum_num = int(rand($#passset + 1));
                $ascii_salt .= @passset[$randum_num];
        }
        return crypt($passwd, $salt);

The only thing you CANNOT do is decrypt an existing (hashed) password. Instead, encrypt the candidate password that the user has submitted, and compare this to the already encrypted password in the password file.

---

Previous | Next | Table of Contents

---