1. Home
  2. Forums Index
  3. Server Side / Apache Web Server 3:04 pm May 1, 2026

Forum Moderators: phranque

Message Too Old, No Replies

looking for apache module to strip u/pw from URL

security related

         

steven

3:49 pm on Jan 3, 2004 (gmt 0)

10+ Year Member



Accessdiver and related brute force hacking programs rely to some degree on apache accepting URL's with an embedded username and password. E.G.

[username:password@somesecuredpagehere.com...]

If there an apache module that would strip the username and password from any URL's submitted like this, but not affect the normal workings of .htpasswd/.htaccess authorization?

Many thanks in advance.

dcrombie

11:56 am on Jan 4, 2004 (gmt 0)



I think there was a thread on this last week that concluded that the username, password component were actually passed using 'proper' HTTP authentication channels and so don't appear to Apache to be any different from the results of a 'login box'.

steven

1:16 am on Jan 5, 2004 (gmt 0)

10+ Year Member



Yeah, thanks, I checked first and missed that thread, then found it while looking for something else. Typical. Shame there's doesn't appear to be any delete option, otherwise I would have deleted the post.
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

  1. Home
  2. Forums Index
  3. Server Side / Apache Web Server 3:04 pm May 1, 2026