php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login

go to bug id or search bugs for

Bug #1538 Security Data Lost w/ FORMS When METHOD=POST
Submitted: 1999-06-14 14:33 UTC Modified: 1999-06-14 15:51 UTC
From: alex at pog dot ufl dot edu Assigned:
Status: Closed Package: Other
PHP Version: 3.0.9 OS: Linux 2.2.9
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: alex at pog dot ufl dot edu
New email:
PHP Version: OS:

 

 [1999-06-14 14:33 UTC] alex at pog dot ufl dot edu 
I have 2 PHP Scripts, the out put of one calls the other through a HTML FORM POST operation.  The $REMOTE_USER value is null in the second script even though it is set in the first script.  Both PHP Scripts are in a 
area of the document root where apache is configured to require
authentication. 

Example Snippets:
Script One:
$inst_query = "SELECT * FROM SECURITY_SC WHERE ACCOUNT='$REMOTE_USER'";
echo $inst_query;
		echo "<TR><TD>\n";
		echo "<FORM ACTION=optf_dlc_list.php3 METHOD=POST>\n";
		echo "<INPUT TYPE=HIDDEN NAME=pog_no VALUE=$pog_no>\n";
		echo "<INPUT TYPE=HIDDEN NAME=study_no
VALUE=$study_no>\n";
		echo "<INPUT TYPE=HIDDEN NAME=accsn_no
VALUE=$accsn_no>\n";
		echo "<INPUT TYPE=SUBMIT VALUE=\"View
Reports\"></TD>\n";
		echo "<TD>$pog_no</TD><TD>$study_no</TD><TD>$accsn_no</TD></TR>\n";
		echo "</FORM>\n";

Script One Output:
SELECT * FROM SECURITY_SC WHERE ACCOUNT='abrennen';

Script Two Snippet:
$inst_query = "SELECT * FROM SECURITY_SC WHERE ACCOUNT='$REMOTE_USER'";

Script Two Output:
SELECT * FROM SECURITY_SC WHERE ACCOUNT=''

I'm running Apache 1.3.6 w/ BenSSL patch 1.3.5 and PHP 3.0.9 on
Red Hat Linux 5.2 with Kernel 2.2.9 with the AC buqtraq 2.2.x patch
applied.  I'm using OpenSSL 0.9.3a.  PHP is running as an Apache
Module.  I'm accessing the scripts with Netscape Communicator
version 4.6 (I've tried on both Linux and Win95).  Netscape does
not appear to be loosing it's authentication tokens (I haven't checked
but I am not asked to re-enter them when I access the PHP script
which does not have the $REMOTE_USER information.)

Apache CONFIG:
./configure --prefix=/www --activate-module=src/modules/php3/libphp3.a --activate-module=auth_dbm

PHP CONFIG:
./configure --with-apache=../apache_1.3.6 --with-config-file-path=/etc --with-oracle=/home/vab/oracle

Please let me know when this is fixed...  We're developing a very large
number of PHP applications for our research group in which security
is very important.

Thank you - PHP is an awsome product.  Feel free to contact me
for additional information or code.

 	- VAB

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [1999-06-14 15:51 UTC] rasmus at cvs dot php dot net 
This was due to the auth being triggered by a <limit GET> tag which meant it didn't apply to POST requests.
 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved. 		Last updated: Fri Nov 01 01:01:28 2024 UTC