How secure are .htaccess protected pages

Are there any known flaws with htaccess protected pages?

I know they are acceptable to brute force attacks as there is no limit to the amoun开发者_C百科t of times someone can attempt to login. And if a user can uploaded and execute a file on the server, all bets are off...

Are there any other .htaccess flaws?

.htaccess is just a means of specifying Apache configuration directives on a per-directory basis. They allow numerous different kinds of password protection.

If you are talking about HTTP Basic Authentication then the username and password are sent in cleartext with every request and are subject to sniffing (assuming you aren't using SSL).

Aside from that, they are subject to the usual issues that any password based system suffers from.

Using HTTP Basic Authentication doesn't grant any additional ability for users to upload and execute files. If they can do that already, then they can still do that. If they couldn't, they can't.

The use of .htaccess is common and is fairly secure. However it makes you more susceptible to other attacks, such as remote file file disclosure vulnerabilities. For instance the follow code could be used to undermine .htaccess.

include("./path/to/languages/".$_GET['lang']);

An exploit would look like this:

http://127.0.0.1/LFI_Vuln.php?lang=../../../.htaccess

This will cause the contents of .htaccess to be displayed to the attacker.