PHP :: Bug #1538 :: Security Data Lost w/ FORMS When METHOD=POST

Bug #1538	Security Data Lost w/ FORMS When METHOD=POST
Submitted:	1999-06-14 14:33 UTC	Modified:	1999-06-14 15:51 UTC
From:	alex at pog dot ufl dot edu	Assigned:
Status:	Closed	Package:	Other
PHP Version:	3.0.9	OS:	Linux 2.2.9
Private report:	No	CVE-ID:	None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	alex at pog dot ufl dot edu
New email:
PHP Version:		OS:

New Comment:

[1999-06-14 14:33 UTC] alex at pog dot ufl dot edu

I have 2 PHP Scripts, the out put of one calls the other through a HTML FORM POST operation.  The $REMOTE_USER value is null in the second script even though it is set in the first script.  Both PHP Scripts are in a 
area of the document root where apache is configured to require
authentication. 

Example Snippets:
Script One:
$inst_query = "SELECT * FROM SECURITY_SC WHERE ACCOUNT='$REMOTE_USER'";
echo $inst_query;
		echo "<TR><TD>\n";
		echo "<FORM ACTION=optf_dlc_list.php3 METHOD=POST>\n";
		echo "<INPUT TYPE=HIDDEN NAME=pog_no VALUE=$pog_no>\n";
		echo "<INPUT TYPE=HIDDEN NAME=study_no
VALUE=$study_no>\n";
		echo "<INPUT TYPE=HIDDEN NAME=accsn_no
VALUE=$accsn_no>\n";
		echo "<INPUT TYPE=SUBMIT VALUE=\"View
Reports\"></TD>\n";
		echo "<TD>$pog_no</TD><TD>$study_no</TD><TD>$accsn_no</TD></TR>\n";
		echo "</FORM>\n";

Script One Output:
SELECT * FROM SECURITY_SC WHERE ACCOUNT='abrennen';

Script Two Snippet:
$inst_query = "SELECT * FROM SECURITY_SC WHERE ACCOUNT='$REMOTE_USER'";

Script Two Output:
SELECT * FROM SECURITY_SC WHERE ACCOUNT=''

I'm running Apache 1.3.6 w/ BenSSL patch 1.3.5 and PHP 3.0.9 on
Red Hat Linux 5.2 with Kernel 2.2.9 with the AC buqtraq 2.2.x patch
applied.  I'm using OpenSSL 0.9.3a.  PHP is running as an Apache
Module.  I'm accessing the scripts with Netscape Communicator
version 4.6 (I've tried on both Linux and Win95).  Netscape does
not appear to be loosing it's authentication tokens (I haven't checked
but I am not asked to re-enter them when I access the PHP script
which does not have the $REMOTE_USER information.)

Apache CONFIG:
./configure --prefix=/www --activate-module=src/modules/php3/libphp3.a --activate-module=auth_dbm

PHP CONFIG:
./configure --with-apache=../apache_1.3.6 --with-config-file-path=/etc --with-oracle=/home/vab/oracle

Please let me know when this is fixed...  We're developing a very large
number of PHP applications for our research group in which security
is very important.

Thank you - PHP is an awsome product.  Feel free to contact me
for additional information or code.

 	- VAB

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[1999-06-14 15:51 UTC] rasmus at cvs dot php dot net

This was due to the auth being triggered by a <limit GET> tag which meant it didn't apply to POST requests.

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2024 The PHP Group All rights reserved.	Last updated: Fri Nov 01 03:01:28 2024 UTC