php.net |  support |  documentation |  report a bug |  advanced search |  search howto |  statistics |  random bug |  login
Bug #42347 Inconsistency of treatments of PHP_AUTH_PW and HTTP Authorization header
Submitted: 2007-08-20 10:48 UTC Modified: 2008-07-11 21:29 UTC
Votes:1
Avg. Score:5.0 ± 0.0
Reproduced:1 of 1 (100.0%)
Same Version:0 (0.0%)
Same OS:0 (0.0%)
From: c dot i dot morris at durham dot ac dot uk Assigned:
Status: Wont fix Package: Safe Mode/open_basedir
PHP Version: 4.4.7 OS: Linux+Apache
Private report: No CVE-ID: None
View Developer Edit
Welcome! If you don't have a Git account, you can't do anything here.
If you reported this bug, you can edit this bug over here.
(description)
Block user comment
Status: Assign to:
Package:
Bug Type:
Summary:
From: c dot i dot morris at durham dot ac dot uk
New email:
PHP Version: OS:

 

 [2007-08-20 10:48 UTC] c dot i dot morris at durham dot ac dot uk
Description:
------------
In safe mode, the PHP_AUTH_PW variable is not available to users if the authorisation was handled by Apache rather than PHP (e.g. Apache's various mod_auth_*). This correctly prevents users from reading the passwords from a central user database simply by getting a logged-in user to view their page.

However, the HTTP Authorization header is not similarly filtered out in safe_mode, allowing a malicious user to use the code below to read other users' passwords.

This definitely affects apache_request_headers() - if there are any other functions also allowing reading of HTTP request headers, they should also be checked.

Reproduce code:
---------------
<?php
// in a directory with Basic auth via Apache configuration
$headers = apache_request_headers();
$auth = substr($headers['Authorization'],6);
$up = base64_decode($auth);
print($up);
?>

Expected result:
----------------
Should not print anything.

Actual result:
--------------
Prints username and password of authenticated user

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports
 [2008-07-11 21:29 UTC] jani@php.net
We are sorry, but we can not support PHP 4 related problems anymore.
Momentum is gathering for PHP 6, and we think supporting PHP 4 will
lead to a waste of resources which we want to put into getting PHP 6
ready.


 
PHP Copyright © 2001-2024 The PHP Group
All rights reserved.
Last updated: Sat Dec 21 13:01:31 2024 UTC